CVE-2019-15294
Severity: High
Components affected: Command Centre Visitor Management Service
Versions of Command Centre affected: Version 8.10.1038 and 8.10.1087 MR1. All other versions are unaffected.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: On upgrade of Command Centre, if a custom service account is in use and the visitor management service is installed, the username and password for this service will be logged in plain text to the Command_centre.log file.
Mitigation: Any compromised Windows accounts must have their passwords changed and updated for all Command Centre services using the Windows services.msc on the Command Centre server. (Note: You do not need to install any maintenance release to fix this issue as the log entry is only written at install/upgrade time.)
Maintenance releases will be available: v8.10.1092 MR2. This version or later must be used for all future installs of v8.10 (Note: This is only required for future installs of v8.10, it is not required to be installed to resolve this issue.)
Important notes:
- You do not need to install a maintenance release to fix this issue, as the log entry is only written at install/upgrade time. Just apply the mitigation.
- To check if the site has been affected you should check for the following lines in all Command_centre.log files (including any copies made with minidumps etc): Setup, Executing command line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil" /User="[USER]" /Password="[PASSWORD]" "C:\Program Files (x86)\Gallagher\Command Centre\Bin\VMASServiceHost.exe"
*This indicates whether Gallagher are aware of this being actively exploited against customer sites.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.