Components affected: Command Centre Server
Version of Command Centre affected: Versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: An unprivileged but authenticated user is able to perform a backup of the Command Centre databases
Mitigation: If the Configuration Client interface and DCOM are blocked on the server then this cannot be remotely exploited.
The following maintenance releases are now available:
- These maintenance upgrades do not require controllers or workstations to be upgraded if you have the previous MR for the version. A workstation upgrade is required if you need to access the backup functionality in the configuration client from the specific workstation. Clients that aren't upgraded will fail to open the Backup property page.
*This indicates whether Gallagher are aware of this being maliciously exploited against customer sites.