Severity: High
Components affected: Command Centre Visitor Management Service
Versions of Command Centre affected: Version 8.10.1038 and 8.10.1087 MR1. All other versions are unaffected.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: On upgrade of Command Centre, if a custom service account is in use and the visitor management service is installed, the username and password for this service will be logged in plain text to the Command_centre.log file.
Mitigation: Any compromised Windows accounts must have their passwords changed and updated for all Command Centre services using the Windows services.msc on the Command Centre server. (Note: You do not need to install any maintenance release to fix this issue as the log entry is only written at install/upgrade time.)
Maintenance releases will be available: v8.10.1092 MR2. This version or later must be used for all future installs of v8.10 (Note: This is only required for future installs of v8.10, it is not required to be installed to resolve this issue.)

Important notes:

  • You do not need to install a maintenance release to fix this issue, as the log entry is only written at install/upgrade time. Just apply the mitigation.

  • To check if the site has been affected you should check for the following lines in all Command_centre.log files (including any copies made with minidumps etc): Setup, Executing command line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil" /User="[USER]" /Password="[PASSWORD]" "C:\Program Files (x86)\Gallagher\Command Centre\Bin\VMASServiceHost.exe" 

*This indicates whether Gallagher are aware of this being actively exploited against customer sites.