Headline
CVE-2022-26078: CVE-2022-26078
Gallagher Controller 6000 is vulnerable to a Denial of Service attack via conflicting ARP packets with a duplicate IP address. This issue affects: Gallagher Gallagher Controller 6000 vCR8.60 versions prior to 220303a; vCR8.50 versions prior to 220303a; vCR8.40 versions prior to 220303a; vCR8.30 versions prior to 220303a.
Severity: High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Components affected: Gallagher Controller 6000
Version of Command Centre affected: 8.60 prior to vCR8.60.220303a (distributed in 8.60.1652 (MR2)), 8.50 prior to vCR8.50.220303a (distributed in 8.50.2245 (MR4)), 8.40 prior to vCR8.40.220303a (distributed in 8.40.2216 (MR5)), 8.30 prior to vCR8.30.220303a (distributed in 8.30.1470 (MR5))
Reported by: Customer reported
Active exploitation of vulnerability*: No
Description of vulnerability: Gallagher Controller 6000 is vulnerable to a Denial of Service attack via conflicting ARP packets with a duplicate IP address. This issue affects: Gallagher Controller 60008.60 prior to vCR8.60.220303a (distributed in 8.60.1652 (MR2)), 8.50 prior to vCR8.50.220303a (distributed in 8.50.2245 (MR4)), 8.40 prior to vCR8.40.220303a (distributed in 8.40.2216 (MR5)), 8.30 prior to vCR8.30.220303a (distributed in 8.30.1470 (MR5))
Mitigation: Segregate networks to reduce likelihood of attack
Maintenance releases are now available for:
v8.60 - v8.60.1652 (MR2)
v8.50 - v8.50.2245 (MR4)
v8.40 - v8.40.2216 (MR5)
v8.30 - v8.30.1470 (MR5)
*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.