CVE-2024-21815: 
Gallagher Command Centre vulnerability analysis and mitigation

CVE-2024-21815 is a security vulnerability affecting Gallagher Command Centre software, discovered and disclosed by Gallagher Internal. The vulnerability involves insufficiently protected credentials (CWE-522) for third-party DVR integrations to the Command Centre Server, which are accessible to authenticated but unprivileged users. The affected versions include Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), and all versions of 8.60 and prior (Gallagher Advisory).

The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials) and has received varying CVSS scores from different sources. The National Institute of Standards and Technology (NIST) assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Gallagher Group Ltd. assessed it as more severe with a CVSS score of 9.1 (CRITICAL) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (NVD).

The vulnerability exposes credentials for third-party DVR integrations to authenticated but unprivileged users of the Command Centre Server. This exposure could potentially lead to unauthorized access to DVR systems and their associated data. Only sites with DVR integrations are affected by this vulnerability (Gallagher Advisory).

Gallagher has released maintenance releases to address this vulnerability. The following patches are available: v9.00.1774 (MR2) for v9.00 systems, v8.90.1751 (MR3) for v8.90 systems, v8.80.1526 (MR4) for v8.80 systems, and v8.70.2526 (MR6) for v8.70 systems (Gallagher Advisory).