CVE-2020-16098
📋 TL;DR
CVE-2020-16098 allows unauthenticated attackers to enumerate access card credentials from Gallagher Command Centre security systems via network connections. These credentials can then be used to create unauthorized access cards for systems supporting insecure card technologies. Affected organizations include those using vulnerable versions of Gallagher Command Centre for physical access control.
💻 Affected Systems
- Gallagher Command Centre
📦 What is this software?
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain physical access to secured facilities by creating cloned access cards, potentially compromising sensitive areas, assets, or personnel safety.
Likely Case
Unauthorized individuals create access cards to enter restricted areas, leading to theft, espionage, or safety violations.
If Mitigated
With proper network segmentation and monitoring, unauthorized access attempts are detected before successful exploitation.
🎯 Exploit Status
Exploitation requires network access to the Command Centre server but no authentication, making it relatively simple for attackers with network connectivity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.20.1166(MR3), v8.10.1211(MR5), v8.00.1228(MR6)
Vendor Advisory: https://security.gallagher.com/Security-Advisories/CVE-2020-16098
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Gallagher support. 2. Backup the Command Centre database. 3. Apply the patch following Gallagher's installation guide. 4. Restart the Command Centre server. 5. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Command Centre servers to only authorized management systems and clients.
Use firewall rules to block unauthorized IPs: iptables -A INPUT -s <authorized_ips> -p tcp --dport <command_centre_port> -j ACCEPT
iptables -A INPUT -p tcp --dport <command_centre_port> -j DROP
Disable Insecure Card Technologies
windowsDisable support for low-security card technologies in Command Centre configuration.
Navigate to Command Centre Configuration > Card Technologies
Disable any insecure card formats (e.g., low-security magnetic stripe, basic proximity)
🧯 If You Can't Patch
- Isolate Command Centre servers on a dedicated VLAN with strict access controls.
- Implement continuous monitoring for unusual network connections to Command Centre servers.
🔍 How to Verify
Check if Vulnerable:
Check Command Centre version in the administration interface. If version matches affected ranges, the system is vulnerable.Check Version:
In Command Centre GUI: Help > About, or check server logs for version information.Verify Fix Applied:
Verify the version is updated to a patched version (v8.20.1166(MR3) or later for v8.20, etc.) in the administration interface.📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to Command Centre server from unauthorized IPs
- Multiple failed authentication attempts followed by successful enumeration
Network Indicators:
- Unexpected traffic to Command Centre server ports from external or unauthorized internal IPs
- Patterns of data extraction without corresponding user logins
SIEM Query:
source="command_centre_logs" AND (event="unauthorized_connection" OR src_ip NOT IN authorized_ips) AND dest_port=<command_centre_port>