CVE-2020-16096

Severity: Critical (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Components affected: Gallagher Command Centre Server
Version of Command Centre affected: v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2), v7.70 and earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: In Gallagher Command Centre versions v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2), v7.70 and earlier, any Command Centre operator account has access to all data that would be replicated if the system were to be (or is) attached to a multi-server environment. This can include plain text credentials for DVR systems and card details used  for physical access/alarm/perimeter components.
Mitigation: None.

Maintenance releases are now available for:

• v8.10 - v8.10.1134(MR4)
• v8.00 - v8.00.1161(MR5)
• v7.90 - v7.90.991(MR5)
• v7.80 - v7.80.960(MR2)

Important notes:

• v8.20 and later are unaffected.
• To fix this vulnerability, sites that are already running Full Release or previous MR version of a major release, only requires a server only upgrade. 

*This indicates whether Gallagher are aware of this being maliciously exploited against customer sites