CVE-2021-23230: 
Gallagher Command Centre vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2021-23230) was discovered in the OPCUA interface of Gallagher Command Centre. The vulnerability was disclosed on June 11, 2021, affecting multiple versions of Gallagher Command Centre including version 8.40 prior to 8.40.1888 (MR3), 8.30 prior to 8.30.1359 (MR3), 8.20 prior to 8.20.1259 (MR5), 8.10 prior to 8.10.1284 (MR7), and version 8.00 and prior versions (NVD, Gallagher Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) that allows remote unprivileged Command Centre Operators to modify Command Centre databases undetected. The CVSS v3.1 base scores vary between sources, with NVD rating it at 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Gallagher Group Ltd. assessed it as Critical with a score of 9.9 and vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows unauthorized modification of Command Centre databases, potentially compromising the integrity of the security system's data. The impact severity assessment indicates potential for high confidentiality, integrity, and availability breaches according to the vendor's evaluation (Gallagher Advisory).

Gallagher has released maintenance updates to address the vulnerability: v8.40.1888(MR3), v8.30.1359(MR3), v8.20.1259(MR5), and v8.10.1284(MR7). These maintenance upgrades require the Command Centre server to be upgraded (Gallagher Advisory).