CVE-2023-22439: 
Gallagher Command Centre vulnerability analysis and mitigation

CVE-2023-22439 is a vulnerability discovered in Gallagher Controller 6000 and Controller 7000's optional diagnostic web interface (Port 80). The vulnerability was reported by Sebastian Toscano and Kevin Schaller of Amazon Security. It affects multiple versions of the Gallagher Controller firmware, including versions 8.90 prior to vCR8.90.231204a, 8.80 prior to vCR8.80.231204a, 8.70 prior to vCR8.70.231204a, 8.60 prior to vCR8.60.231116a, and all versions of 8.50 and prior (Vendor Advisory).

The vulnerability stems from improper input validation (CWE-20) of large HTTP requests in the diagnostic web interface. The CVSS v3.1 base score is 4.3 (MEDIUM) according to NVD assessment with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, while Gallagher Group Ltd. assessed it as 3.1 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability can lead to a Denial of Service condition specifically affecting the diagnostic web interface. The impact is limited to the diagnostic interface functionality, with no reported impacts on confidentiality or integrity (Vendor Advisory).

Mitigation steps include ensuring dipswitch 1 is turned off on all Controllers and unchecking the option 'Dipswitch 1 controls the diagnostic web interface' in Configuration Client on Controller property pages. Additionally, users should not use the Controller override 'Enable WWW Connections'. Maintenance releases have been made available for affected versions: v8.90.1620 (MR2), v8.80.1369 (MR3), v8.70.2375 (MR5), and v8.60.2550 (MR7) (Vendor Advisory).