Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.
An error classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) causes sensitive system information or management functions to be accessible outside the intended control sphere. An authenticated operator with only limited location-based permissions is able to exceed the scope of access granted to them and perform critical configuration operations on Morpho devices connected to the Command Centre system. The authorization mechanism does not properly enforce permission boundaries in the context of this integration.
An attacker can make unauthorized, critical changes to local Morpho biometric devices, which may lead to breach of confidentiality, integrity, and availability of the access control system — including potentially unauthorized granting or revocation of physical access.
Gallagher Command Centre Server should be updated to the following versions containing fixes: vEL9.30.2482 (MR2) or newer for the 9.30 branch, vEL9.20.2819 (MR4) or newer for the 9.20 branch, vEL9.10.3672 (MR7) or newer for the 9.10 branch, vEL9.00.3831 (MR8) or newer for the 9.00 branch. For versions 8.90 and earlier, migration to a supported branch is recommended. Details are available in the vendor's guide at the address indicated in the references.
Gallagher Command Centre Server in versions: 9.30 before vEL9.30.2482 (MR2), 9.20 before vEL9.20.2819 (MR4), 9.10 before vEL9.10.3672 (MR7), 9.00 before vEL9.00.3831 (MR8), and all versions 8.90 and earlier.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H