Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug.
This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)).
The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Controller_7000_firmware | Gallagher | 8.70 (including) | 8.70.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 8.80 (including) | 8.80.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 8.90 (including) | 8.90.231204a (excluding) |
| Controller_7000_firmware | Gallagher | 9.00 (including) | 9.00.231204b (excluding) |
Fuses are often used to store secret data, including security configuration data. When not blown, a fuse is considered to store a logic 0, and, when blown, it indicates a logic 1. Fuses are generally considered to be one-directional, i.e., once blown to logic 1, it cannot be reset to logic 0. However, if the logic used to determine system-security state (by leveraging the values sensed from the fuses) uses negative logic, an attacker might blow the fuse and drive the system to an insecure state.