CVE-2023-25074 – This vulnerability allows authenticated but unp... (How to Fix)

Q: What is the severity of CVE-2023-25074?

CVE-2023-25074 has a CVSS score of 7.1 (HIGH). This vulnerability allows authenticated but unprivileged operators in Gallagher Command Centre Server to improperly modify and view Competencies data due to insufficient privilege validation. It affects all versions vEL8.40 and prior, and specific older versions without security patches. This enables unauthorized access to sensitive competency information.

📋 TL;DR

This vulnerability allows authenticated but unprivileged operators in Gallagher Command Centre Server to improperly modify and view Competencies data due to insufficient privilege validation. It affects all versions vEL8.40 and prior, and specific older versions without security patches. This enables unauthorized access to sensitive competency information.

💻 Affected Systems

Products:

Gallagher Command Centre Server

Versions: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior

Operating Systems: Not specified in CVE

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated operator account. All affected versions are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized modification of critical competency data could lead to security policy violations, compliance failures, or manipulation of personnel access controls.

🟠

Likely Case

Unauthorized viewing of sensitive competency information, potentially exposing confidential employee data or security clearance details.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential data exposure without system compromise.

🌐 Internet-Facing: MEDIUM - If Command Centre Server is internet-facing, authenticated attackers could exploit this remotely.

🏢 Internal Only: HIGH - Internal users with operator accounts can exploit this vulnerability to access unauthorized data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only authenticated access and knowledge of the vulnerability.

Exploitation requires valid operator credentials. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: vEL8.90.1318 (MR1), vEL8.80.1192 (MR2), vEL8.70.2185 (MR4), vEL8.60.2347 (MR6), vEL8.50.2831 (MR8)

Vendor Advisory: https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074

Restart Required: Yes

Instructions:

1. Download appropriate patch version from Gallagher support portal. 2. Backup current configuration. 3. Apply patch following Gallagher documentation. 4. Restart Command Centre Server services. 5. Verify patch installation.

🔧 Temporary Workarounds

Restrict Operator Access

all

Limit operator accounts to only those requiring access to Competencies functionality.

Enhanced Monitoring

all

Implement logging and alerting for Competencies-related activities by unprivileged operators.

🧯 If You Can't Patch

Implement strict access controls and review all operator permissions regularly.
Enable detailed auditing of Competencies access and modifications in system logs.

🔍 How to Verify

Check if Vulnerable:

Check Command Centre Server version against affected versions list. If running affected version, system is vulnerable.

Check Version:

Check version in Command Centre Server web interface or administration console.

Verify Fix Applied:

Verify Command Centre Server version is patched to one of the fixed versions listed in vendor advisory.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Competencies module
Competencies modifications by unprivileged operators

Network Indicators:

Unusual patterns of Competencies-related API calls from operator accounts

SIEM Query:

source="command_centre" AND (event="competency_access" OR event="competency_modify") AND user_role="operator"

📊 Metadata

CVE ID: CVE-2023-25074

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-285

Published: July 25, 2023

Last Updated: November 21, 2024

🔗 References

https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074 Vendor Advisory
https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25074, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Command Centre by Gallagher

Command Centre by Gallagher

Command Centre by Gallagher

Command Centre by Gallagher

Command Centre by Gallagher

Command Centre by Gallagher

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Operator Access

Enhanced Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities