CVE-2021-23146
Severity: Medium + CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Components affected: Gallagher Controller
Version of Command Centre affected: 8.40 prior to vCR8.40.210518a (distributed in 8.40.1888 (MR3)), 8.30 prior to vCR8.30.210428c (distributed in 8.30.1454 (MR3)), 8.20 prior to vCR8.20.210422a (distributed in 8.20.1291 (MR5)), 8.10 prior to vGR8.10.200 (distributed in 8.10.1284 (MR7)), all versions of 8.00
Reported by: Customer reported
Active exploitation of vulnerability*: No
Description of vulnerability: An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 prior to vGR8.40.881 (distributed in 8.40.1888 (MR3)), 8.30 prior to vGR8.30.712 (distributed in 8.30.1359 (MR3)), 8.20 prior to vGR8.20.393 (distributed in 8.20.1259 (MR5)), 8.10 prior to vGR8.10.200 (distributed in 8.10.1284 (MR7)), all versions of 8.00
Mitigation: Disable 125 kHz card technology.
Maintenance releases are now available for:
-
v8.40 - v8.40.1888 (MR3)
-
v8.30 - v8.30.1359 (MR3)
-
v8.20 - v8.20.1259 (MR5)
-
v 8.10 - v8.10.1284 (MR7)
*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.