CVE-2024-22383 (GCVE-0-2024-22383)
Vulnerability from cvelistv5 – Published: 2024-03-05 03:12 – Updated: 2024-08-01 22:43
VLAI?
Summary
Missing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service.
This issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).
Severity ?
6.2 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Controller 7000 |
Affected:
9.00 , < vCR9.00.231204b
(custom)
Affected: 8.90 , < vCR8.90.240209b (custom) Affected: 8.80 , < vCR8.80.240209a (custom) Affected: 8.70 , < vCR8.70.240209a (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T20:52:27.008902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:48.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller 7000",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "vCR9.00.231204b",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "vCR8.90.240209b",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "vCR8.80.240209a",
"status": "affected",
"version": "8.80",
"versionType": "custom"
},
{
"lessThan": "vCR8.70.240209a",
"status": "affected",
"version": "8.70",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOnly sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected. \u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOnly sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected. \n\n\n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003eThis issue affects: All variants of the Gallagher Controller 7000 \u003c/span\u003e9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\u0026nbsp;8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \n\nThis issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\u00a08.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-05T03:12:29.581Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-22383",
"datePublished": "2024-03-05T03:12:29.581Z",
"dateReserved": "2024-02-05T04:16:47.982Z",
"dateUpdated": "2024-08-01T22:43:34.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"\\nMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \\n\\nThis issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\\u00a08.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\\n\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"La falta de liberaci\\u00f3n de recursos despu\\u00e9s de la vida \\u00fatil efectiva (CWE-772) en Controller 7000 provoc\\u00f3 que los lectores de la Serie T conectados a HBUS no se recuperaran autom\\u00e1ticamente despu\\u00e9s de ser atacados a trav\\u00e9s de la interfaz RS-485, lo que result\\u00f3 en una denegaci\\u00f3n de servicio persistente. Este problema afecta a: Todas las variantes del Gallagher Controller 7000 9.00 anterior a vCR9.00.231204b (distribuido en 9.00.1507(MR1)), 8.90 anterior a vCR8.90.240209b (distribuido en 8.90.1751 (MR3)), 8.80 anterior a vCR8.80.240209a (distribuido en 8.80.1526 (MR4)), 8.70 antes de vCR8.70.240209a (distribuido en 8.70.2526 (MR6)).\"}]",
"id": "CVE-2024-22383",
"lastModified": "2024-11-21T08:56:09.863",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"disclosures@gallagher.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.2, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 3.6}]}",
"published": "2024-03-05T03:15:06.470",
"references": "[{\"url\": \"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\", \"source\": \"disclosures@gallagher.com\"}, {\"url\": \"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "disclosures@gallagher.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"disclosures@gallagher.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-772\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-22383\",\"sourceIdentifier\":\"disclosures@gallagher.com\",\"published\":\"2024-03-05T03:15:06.470\",\"lastModified\":\"2024-11-21T08:56:09.863\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \\n\\nThis issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\u00a08.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"La falta de liberaci\u00f3n de recursos despu\u00e9s de la vida \u00fatil efectiva (CWE-772) en Controller 7000 provoc\u00f3 que los lectores de la Serie T conectados a HBUS no se recuperaran autom\u00e1ticamente despu\u00e9s de ser atacados a trav\u00e9s de la interfaz RS-485, lo que result\u00f3 en una denegaci\u00f3n de servicio persistente. Este problema afecta a: Todas las variantes del Gallagher Controller 7000 9.00 anterior a vCR9.00.231204b (distribuido en 9.00.1507(MR1)), 8.90 anterior a vCR8.90.240209b (distribuido en 8.90.1751 (MR3)), 8.80 anterior a vCR8.80.240209a (distribuido en 8.80.1526 (MR4)), 8.70 antes de vCR8.70.240209a (distribuido en 8.70.2526 (MR6)).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]}],\"references\":[{\"url\":\"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\",\"source\":\"disclosures@gallagher.com\"},{\"url\":\"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T22:43:34.539Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-22383\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-05T20:52:27.008902Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:15.994Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Gallagher\", \"product\": \"Controller 7000\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.00\", \"lessThan\": \"vCR9.00.231204b\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.90\", \"lessThan\": \"vCR8.90.240209b\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.80\", \"lessThan\": \"vCR8.80.240209a\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.70\", \"lessThan\": \"vCR8.70.240209a\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-22383\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \\n\\nThis issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\\u00a08.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eMissing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. \u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cbr\u003eThis issue affects: All variants of the Gallagher Controller 7000 \u003c/span\u003e9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)),\u0026nbsp;8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).\\n\\n\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-772\", \"description\": \"CWE-772 Missing Release of Resource after Effective Lifetime\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"\\nOnly sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected. \\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eOnly sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected. \u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"0c426f27-3ee1-4eff-be88-288d5a1822bc\", \"shortName\": \"Gallagher\", \"dateUpdated\": \"2024-03-05T03:12:29.581Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-22383\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T22:43:34.539Z\", \"dateReserved\": \"2024-02-05T04:16:47.982Z\", \"assignerOrgId\": \"0c426f27-3ee1-4eff-be88-288d5a1822bc\", \"datePublished\": \"2024-03-05T03:12:29.581Z\", \"assignerShortName\": \"Gallagher\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…