Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug.
This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)).
The logic level used to set a system to a secure state relies on a fuse being unblown.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Controller_7000_firmware | Gallagher | 8.70 (including) | 8.70.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 8.80 (including) | 8.80.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 8.90 (including) | 8.90.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 9.00 (including) | 9.00.231204b (excluding) |
Fuses are often used to store secret data, including security configuration data. When not blown, a fuse is considered to store a logic 0, and, when blown, it indicates a logic 1. Fuses are generally considered to be one-directional, i.e., once blown to logic 1, it cannot be reset to logic 0.