CVE-2024-24972
First published: Wed Sep 11 2024(Updated: )
Buffer Copy without Checking Size of Input (CWE-120) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authorised and authenticated operator to reboot the Controller, causing a Denial of Service. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.
Credit: disclosures@gallagher.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gallagher Controller 6000 Firmware | <vCR9.10.240816a<9.10.1530 | |
| Gallagher Controller 7000 Firmware | <vCR9.10.240816a<9.10.1530 | |
| Gallagher Controller 6000 Firmware | <vCR9.00.240816a<9.00.2168 | |
| Gallagher Controller 7000 Firmware | <vCR9.00.240816a<9.00.2168 | |
| Gallagher Controller 6000 Firmware | <vCR8.90.240816a<8.90.2155 | |
| Gallagher Controller 7000 Firmware | <vCR8.90.240816a<8.90.2155 | |
| Gallagher Controller 6000 Firmware | <vCR8.80.240816b<8.80.1938 | |
| Gallagher Controller 7000 Firmware | <vCR8.80.240816b<8.80.1938 | |
| Gallagher Controller 6000 Firmware | <8.70 | |
| Gallagher Controller 7000 Firmware | <8.70 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-24972?
CVE-2024-24972 has a high severity level due to its potential to cause a Denial of Service by allowing an authenticated operator to reboot the controller.
How do I fix CVE-2024-24972?
To mitigate CVE-2024-24972, ensure that the diagnostic web interface is disabled, as it is disabled by default.
Which devices are affected by CVE-2024-24972?
CVE-2024-24972 affects Gallagher Controller 6000 and 7000 models prior to specified versions.
Can an unauthorized user exploit CVE-2024-24972?
No, CVE-2024-24972 requires authentication to exploit, limiting its risk to authorized operators.
What type of vulnerability is CVE-2024-24972 classified as?
CVE-2024-24972 is classified as a buffer copy without checking the size of input, specifically noted as CWE-120.
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gallagher
- canonical/gallagher controller 6000 firmware
- canonical/gallagher controller 7000 firmware