CVE-2020-7215

Severity: Critical
Components affected: Command Centre DVR System Items
Version of Command Centre affected: Versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 or earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: External system configuration used for third party integrations such as DVR systems were logged in the Command Centre event trail. Any authenticated operator with the 'view events' privilege could see the full configuration, including plain text user names and passwords under the event details of the 'Modified DVR System' event.
Mitigation: Upgrade to a fixed version and then change the password for the DVR system. Customers not using DVR systems are unaffected.
The following maintenance releases are now available:

  • v8.10.1134(MR4)
  • v8.00.1161(MR5)
  • v7.90.991(MR5)

Important notes:

  • These maintenance upgrades do not require controllers or workstations to be upgraded if you have the previous MR for the version. A workstation upgrade is required if you need to access the backup functionality in the configuration client from the specific workstation. Clients that aren't upgraded will fail to open the Backup property page.

*This indicates whether Gallagher are aware of this being maliciously exploited against customer sites