CVE-2023-41967 (GCVE-0-2023-41967)

Vulnerability from cvelistv5 – Published: 2023-12-18 22:00 – Updated: 2024-08-02 19:09
VLAI?
Summary
Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. This issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.
Severity ?
2.4 (Low)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-1272 - Sensitive Information Uncleared Before Debug/Power State Transition
Assigner
References
Impacted products
Vendor Product Version
Gallagher Controller 6000 Affected: 0 , ≤ 8.60 (custom)
Affected: 8.70 , < vCR8.70.231204a (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:09:49.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-41967"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Controller 6000",
          "vendor": "Gallagher",
          "versions": [
            {
              "lessThanOrEqual": "8.60",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "vCR8.70.231204a",
              "status": "affected",
              "version": "8.70",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Controller 6000 \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev8.60 or earlier.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \n\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1272",
              "description": "CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-18T22:00:38.751Z",
        "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
        "shortName": "Gallagher"
      },
      "references": [
        {
          "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-41967"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
    "assignerShortName": "Gallagher",
    "cveId": "CVE-2023-41967",
    "datePublished": "2023-12-18T22:00:38.751Z",
    "dateReserved": "2023-11-01T22:24:52.305Z",
    "dateUpdated": "2024-08-02T19:09:49.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"8.60\", \"matchCriteriaId\": \"E5B756DF-6D8A-4B89-9DAB-3EBD00C75E3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.70\", \"versionEndExcluding\": \"8.70.231204a\", \"matchCriteriaId\": \"30EEB0FF-D2F2-47DA-9666-6532730B195F\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:gallagher:controller_6000:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5AF2B03B-B033-439F-8CEE-334FA8053278\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \\n\\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Un atacante con conocimiento de la contrase\\u00f1a de diagn\\u00f3stico predeterminada de Controller 6000 y acceso f\\u00edsico al Controlador para ver su configuraci\\u00f3n a trav\\u00e9s de las p\\u00e1ginas web de diagn\\u00f3stico podr\\u00eda abusar de la informaci\\u00f3n confidencial no borrada despu\\u00e9s de la transici\\u00f3n del estado de depuraci\\u00f3n/encendido en el Controlador. Este problema afecta a: Gallagher Controller 6000 8.70 anterior a vCR8.70.231204a (distribuido en 8.70.2375 (MR5)), v8.60 o anterior.\"}]",
      "id": "CVE-2023-41967",
      "lastModified": "2024-11-21T08:22:00.680",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"disclosures@gallagher.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 2.4, \"baseSeverity\": \"LOW\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 3.6}]}",
      "published": "2023-12-18T22:15:08.770",
      "references": "[{\"url\": \"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\", \"source\": \"disclosures@gallagher.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "disclosures@gallagher.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"disclosures@gallagher.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1272\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-212\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41967\",\"sourceIdentifier\":\"disclosures@gallagher.com\",\"published\":\"2023-12-18T22:15:08.770\",\"lastModified\":\"2024-11-21T08:22:00.680\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \\n\\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Un atacante con conocimiento de la contrase\u00f1a de diagn\u00f3stico predeterminada de Controller 6000 y acceso f\u00edsico al Controlador para ver su configuraci\u00f3n a trav\u00e9s de las p\u00e1ginas web de diagn\u00f3stico podr\u00eda abusar de la informaci\u00f3n confidencial no borrada despu\u00e9s de la transici\u00f3n del estado de depuraci\u00f3n/encendido en el Controlador. Este problema afecta a: Gallagher Controller 6000 8.70 anterior a vCR8.70.231204a (distribuido en 8.70.2375 (MR5)), v8.60 o anterior.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1272\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.60\",\"matchCriteriaId\":\"E5B756DF-6D8A-4B89-9DAB-3EBD00C75E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.70\",\"versionEndExcluding\":\"8.70.231204a\",\"matchCriteriaId\":\"30EEB0FF-D2F2-47DA-9666-6532730B195F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gallagher:controller_6000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AF2B03B-B033-439F-8CEE-334FA8053278\"}]}]}],\"references\":[{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\",\"source\":\"disclosures@gallagher.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.