CVE-2023-24590
📋 TL;DR
A format string vulnerability in Gallagher Controller 6000's diagnostic web interface allows attackers to read/write memory and potentially crash the device, causing denial of service. This affects Gallagher Controller 6000 versions 8.50 and earlier, and version 8.60 before vCR8.60.231116a.
💻 Affected Systems
- Gallagher Controller 6000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or permanent device damage requiring hardware replacement.
Likely Case
Denial of service through device crash, potentially disrupting physical access control systems and security operations.
If Mitigated
Limited information disclosure or minor service disruption if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Format string vulnerabilities typically require some reverse engineering but are well-understood attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCR8.60.231116a (distributed in 8.60.2550 (MR7))
Vendor Advisory: https://security.gallagher.com/Security-Advisories/CVE-2023-24590
Restart Required: Yes
Instructions:
1. Download the firmware update from Gallagher support portal. 2. Backup current configuration. 3. Apply firmware update following Gallagher's upgrade procedures. 4. Restart the controller. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Diagnostic Interface
allDisable the optional diagnostic web interface if not required for operations.
Configuration varies by version - consult Gallagher documentation for disabling diagnostic interface
Network Segmentation
linuxRestrict network access to the diagnostic interface using firewall rules.
iptables -A INPUT -p tcp --dport [diagnostic_port] -s [trusted_networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [diagnostic_port] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted management networks only.
- Monitor for unusual access attempts to the diagnostic interface and implement intrusion detection rules.
🔍 How to Verify
Check if Vulnerable:
Check controller firmware version via Gallagher Command Centre or web interface. If version is 8.50 or earlier, or 8.60 without vCR8.60.231116a patch, system is vulnerable.Check Version:
Check via Gallagher Command Centre interface or web admin panel - specific commands vary by deployment.Verify Fix Applied:
Verify firmware version shows vCR8.60.231116a or later in 8.60 series, or confirm diagnostic interface is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to diagnostic web interface
- Controller crash/restart events in system logs
- Format string patterns in web request logs
Network Indicators:
- Unexpected traffic to diagnostic interface ports
- Malformed HTTP requests containing format string specifiers
SIEM Query:
source="controller_logs" AND (event="crash" OR event="restart") OR (http_request CONTAINS "%n" OR http_request CONTAINS "%s" OR http_request CONTAINS "%x")