What is the severity of CVE-2024-22387?

CVE-2024-22387 has been assessed to have a critical severity as it can lead to compromised physical security controls.

How do I fix CVE-2024-22387?

To fix CVE-2024-22387, users should upgrade their Gallagher Controller 6000 or Controller 7000 devices to the latest version released by Gallagher.

Which products are affected by CVE-2024-22387?

CVE-2024-22387 affects Gallagher Controller 6000 and Controller 7000 versions up to vCR9.10.240520a, as well as earlier versions.

What vulnerabilities does CVE-2024-22387 exploit?

CVE-2024-22387 exploits external control weaknesses in the device's diagnostic web interface, allowing state data manipulation.

Who is the vendor for CVE-2024-22387?

The vendor for CVE-2024-22387 is Gallagher, known for their security and access control solutions.

Vulnerability/
CVE-2024-22387

medium

6.8

CWE

642

11/7/2024

1/8/2024

CVE-2024-22387

First published: Thu Jul 11 2024(Updated: )

External Control of Critical State Data (CWE-642) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated user to modify device I/O connections leading to unexpected behavior that in some circumstances could compromise site physical security controls. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Gallagher Controller 6000 and 7000 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.

Credit: disclosures@gallagher.com

Affected Software	Affected Version	How to fix
Gallagher Controller 6000 Firmware	<vCR9.10.240520a
Gallagher Controller 7000 Firmware	<vCR9.10.240520a
Gallagher Controller 6000 Firmware	<vCR9.00.240521a
Gallagher Controller 7000 Firmware	<vCR9.00.240521a
Gallagher Controller 6000 Firmware	<vCR8.90.240520a
Gallagher Controller 7000 Firmware	<vCR8.90.240520a
Gallagher Controller 6000 Firmware	<vCR8.80.240520a
Gallagher Controller 7000 Firmware	<vCR8.80.240520a
Gallagher Controller 6000 Firmware	<vCR8.70.240520a
Gallagher Controller 7000 Firmware	<vCR8.70.240520a
Gallagher Controller 6000 Firmware	<all versions of 8.60
Gallagher Controller 7000 Firmware	<all versions of 8.60

Never miss a vulnerability like this again

Reference Links

https://security.gallagher.com/Security-Advisories/CVE-2024-22387

Frequently Asked Questions

What is the severity of CVE-2024-22387?
CVE-2024-22387 has been assessed to have a critical severity as it can lead to compromised physical security controls.
How do I fix CVE-2024-22387?
To fix CVE-2024-22387, users should upgrade their Gallagher Controller 6000 or Controller 7000 devices to the latest version released by Gallagher.
Which products are affected by CVE-2024-22387?
CVE-2024-22387 affects Gallagher Controller 6000 and Controller 7000 versions up to vCR9.10.240520a, as well as earlier versions.
What vulnerabilities does CVE-2024-22387 exploit?
CVE-2024-22387 exploits external control weaknesses in the device's diagnostic web interface, allowing state data manipulation.
Who is the vendor for CVE-2024-22387?
The vendor for CVE-2024-22387 is Gallagher, known for their security and access control solutions.

agent/references
agent/weakness
agent/type
agent/description
agent/first-publish-date
agent/severity
agent/author
agent/event
collector/nvd-api
source/NVD
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
agent/softwarecombine
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/gallagher
canonical/gallagher controller 6000 firmware
canonical/gallagher controller 7000 firmware