CVE-2023-23576: 
Gallagher Command Centre vulnerability analysis and mitigation

Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. This vulnerability (CVE-2023-23576) affects Gallagher Command Centre versions 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), and all versions of 8.50 and prior. The vulnerability was disclosed on December 18, 2023 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability requires physical access (AV:P), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), affects only the local scope (S:U), has no impact on confidentiality (C:N), high impact on integrity (I:H), and no impact on availability (A:N) (Gallagher Advisory).

The vulnerability could allow privileged users to maintain physical access to secured sites beyond their intended duration during network outages, specifically when competencies are used in access decisions. This presents a potential security risk for facilities using the affected Command Centre versions (Gallagher Advisory).

Only sites using Competencies are affected by this vulnerability. Gallagher has released maintenance updates to address the issue: v8.90.1620 (MR2), v8.80.1369 (MR3), v8.70.2375 (MR5), and v8.60.2550 (MR7). Organizations using affected versions should upgrade to the appropriate patched version (Gallagher Advisory).