Login Sign Up

CVE-2021-23155

9.0 CRITICAL

📋 TL;DR

This vulnerability allows attackers to perform man-in-the-middle attacks against Gallagher Command Centre Mobile Client for Android by exploiting improper certificate chain validation. Attackers can impersonate legitimate servers to intercept or manipulate communications. This affects Android mobile clients running versions 8.50 and earlier, and 8.60 versions prior to 8.60.065.

💻 Affected Systems

Products:
  • Gallagher Command Centre Mobile Client for Android
Versions: 8.50 and prior versions; 8.60 versions prior to 8.60.065
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the mobile client application, not the Command Centre server itself.

📦 What is this software?

Command Centre Mobile Client by Gallagher

View all CVEs affecting Command Centre Mobile Client →

Command Centre Mobile Client by Gallagher

View all CVEs affecting Command Centre Mobile Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of mobile client communications, allowing attackers to intercept sensitive security system data, issue unauthorized commands to physical security systems, or gain unauthorized access to protected facilities.

🟠

Likely Case

Interception of mobile client communications, potentially exposing sensitive security system information and allowing attackers to monitor security operations.

🟢

If Mitigated

Limited impact with proper network segmentation and certificate pinning, though risk remains if mobile clients connect to untrusted networks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires man-in-the-middle position on the network path between mobile client and server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.60.065 or later

Vendor Advisory: https://security.gallagher.com/Security-Advisories/CVE-2021-23155

Restart Required: Yes

Instructions:

1. Update Gallagher Command Centre Mobile Client for Android to version 8.60.065 or later. 2. Restart the application after update. 3. Verify the update was successful by checking the app version.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict mobile client access to trusted networks only, preventing connections from untrusted networks where MITM attacks are more likely.

VPN Enforcement

all

Require all mobile clients to connect through a corporate VPN with certificate validation.

🧯 If You Can't Patch

  • Restrict mobile client usage to trusted, controlled networks only
  • Implement network monitoring for unusual certificate validation failures

🔍 How to Verify

Check if Vulnerable:

Check the app version in Android settings > Apps > Gallagher Command Centre Mobile Client > App info

Check Version:

Not applicable - check through Android app settings

Verify Fix Applied:

Verify app version is 8.60.065 or later and test certificate validation with a MITM proxy tool

📡 Detection & Monitoring

Log Indicators:

  • Certificate validation errors in mobile client logs
  • Unexpected certificate authorities in TLS handshakes

Network Indicators:

  • Unusual TLS certificate chains in mobile client traffic
  • MITM proxy detection in network traffic

SIEM Query:

source="mobile_client" AND (event_type="certificate_error" OR event_type="tls_handshake_failure")

📊 Metadata

CVE ID: CVE-2021-23155
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-296
Published: November 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23155, you might also want to check these:

CVE-2025-48057 9.8

A certificate validation vulnerability in Icinga 2 allows attackers to obtain valid certificates by ...

Same vulnerability type (CWE-296)
CVE-2025-1146 8.1

A TLS certificate validation logic error in CrowdStrike Falcon Linux-based sensors could allow man-i...

Same vulnerability type (CWE-296)