CVE-2021-23167
📋 TL;DR
This vulnerability allows man-in-the-middle attackers to intercept and potentially decrypt sensitive communications between Gallagher Command Centre servers and SMTP clients due to improper certificate validation. It affects Gallagher Command Centre security management software versions 8.50 prior to 8.50.2048, 8.40 prior to 8.40.2063, 8.30 prior to 8.30.1454, and all 8.20 and earlier versions.
💻 Affected Systems
- Gallagher Command Centre
📦 What is this software?
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
Command Centre by Gallagher
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept and decrypt all sensitive data transmitted between Command Centre servers and SMTP clients, including credentials, access logs, and security event data.
Likely Case
Attackers positioned between the Command Centre server and SMTP server could intercept email notifications, system alerts, and potentially gain access to sensitive information.
If Mitigated
With proper network segmentation and certificate validation, the attack surface is limited to internal network segments where attackers have positioning.
🎯 Exploit Status
Requires network positioning between Command Centre server and SMTP server, but no authentication needed once positioned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.50.2048 (MR3), 8.40.2063 (MR4), 8.30.1454 (MR4)
Vendor Advisory: https://security.gallagher.com/Security-Advisories/CVE-2021-23167
Restart Required: Yes
Instructions:
1. Download appropriate patch from Gallagher support portal. 2. Backup Command Centre database and configuration. 3. Apply patch following Gallagher's upgrade procedures. 4. Restart Command Centre services.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Command Centre server from untrusted networks and implement strict firewall rules for SMTP traffic.
Certificate Pinning
allConfigure Command Centre to only accept specific SMTP server certificates if supported.
🧯 If You Can't Patch
- Implement network monitoring and IDS/IPS to detect certificate validation bypass attempts
- Use VPN or encrypted tunnels for all SMTP communications between Command Centre and email servers
🔍 How to Verify
Check if Vulnerable:
Check Command Centre version in administration console or via 'Help > About' menu. Compare against affected versions list.Check Version:
Check via Command Centre GUI: Help > About, or query database for version information.Verify Fix Applied:
Verify version is 8.50.2048 or higher, 8.40.2063 or higher, or 8.30.1454 or higher. Test SMTP functionality with invalid certificates to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation attempts in Command Centre logs
- Unusual SMTP connection patterns
Network Indicators:
- Unencrypted or improperly encrypted SMTP traffic from Command Centre server
- MITM attacks on port 25/587/465
SIEM Query:
source="command-centre-logs" AND (event="certificate_validation_failed" OR event="smtp_connection_error")