GateManager Denial of Service Vulnerability

Vulnerability

A denial-of-service (DoS) vulnerability exists in B&R GateManager 4260 and 9250 versions prior to 9.0.20262 and GateManager 8250 versions prior to 9.2.620236042. The issue stems from uncontrolled resource consumption (CWE-400) where an authenticated user can repeatedly trigger a restart of GateManager instances, exhausting system resources and preventing normal operation [1].

Exploitation

An attacker must have valid authentication credentials for the GateManager instance. No special privileges beyond standard user authentication are required. The attacker can exploit the vulnerability remotely over the network by sending a sequence of malicious requests that force the device to restart repeatedly [1].

Impact

Successful exploitation leads to a denial-of-service condition, making the GateManager instance unavailable to legitimate users. The availability impact is high, but confidentiality and integrity are not affected. The CVSS v3 base score is 7.7 with vector string (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

B&R has released fixed versions: GateManager 4260 and 9250 should be updated to version 9.0.20262 or later, and GateManager 8250 should be updated to version 9.2.620236042 or later. These updates address the uncontrolled resource consumption vulnerability [1].