Severity: High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Components affected: Gallagher Command Centre Server
Version of Command Centre affected: 8.30 prior to 8.30.1236(MR1), 8.20 prior to 8.20.1166(MR3), 8.10 prior to 8.10.1211(MR5), 8.00 and earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote code execution. This issue affects: Gallagher Command Centre 8.30 versions prior to v8.30.1236(MR1); 8.20 versions prior to v8.20.1166(MR3); 8.10 versions prior to v8.10.1211(MR5); version 8.00 and prior versions.
Mitigation: Configure the firewall on the Command Centre server machine to restrict access to the DCOM websocket port (8905), as recommended in the Hardening Guide.
Maintenance releases are now available for:
- v8.30 - v8.30.1299(MR2)
- v8.20 - v8.20.1218(MR4)
- v8.10 - v8.10.1253(MR6)
- v8.00 - v8.00.1252(MR7)
- These maintenance upgrades require the Command Centre server to be upgraded.
*This indicates whether Gallagher are aware of this being actively exploited against customer sites.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.