A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects:

The SQL Injection vulnerability in Gallagher Command Centre allows an attacker to inject malicious SQL code into the OPCUA interface. Successful exploitation enables an unauthenticated or low-privilege Command Centre Operator to directly manipulate the Command Centre’s databases. This could involve unauthorized modification of user accounts, access control lists, event logs, or other sensitive data. The undetected nature of the modification amplifies the risk, as malicious changes could persist without immediate detection. The potential impact extends beyond data theft to include complete system compromise, enabling attackers to gain persistent access and control over the security system. While no direct precedent exists for this specific vulnerability, SQL Injection vulnerabilities are consistently exploited to gain unauthorized access and escalate privileges, mirroring the potential impact of similar attacks.

Organizations relying on Gallagher Command Centre for physical security, particularly those with legacy installations of versions 8.00 and prior, are at significant risk. Shared hosting environments where multiple Command Centre instances share a database are also particularly vulnerable, as a compromise of one instance could potentially impact others. Organizations with limited security expertise or those who have not implemented robust access controls for Command Centre Operators are also at increased risk.

• linux / server: Monitor Command Centre database logs for unusual SQL queries or patterns indicative of injection attempts. Use journalctl -f -u gallagher-command-centre to observe real-time log activity.

journalctl -f -u gallagher-command-centre | grep -i "error" | grep -i "sql"

• generic web: Examine access logs for requests to the OPCUA interface with unusual or malformed parameters. Use curl to test the OPCUA endpoint with potentially malicious input.

curl 'http://<command_centre_ip>/opcua/some_endpoint?param=';

• database (mysql, postgresql): If Command Centre uses a MySQL or PostgreSQL database, check for unauthorized database modifications or suspicious user activity using native CLI tools.

mysql -u <user> -p -e "SHOW PROCESSLIST;"

1. 2021-06-11Disclosure

   disclosure

2. 2021-06-11Patch

   patch

1. Reserviert2021-01-26
2. Veröffentlicht2021-06-11
3. Geändert2024-08-03
4. EPSS aktualisiert2026-04-02

The primary mitigation for CVE-2021-23230 is to immediately upgrade Gallagher Command Centre to version 8.40.1888 (MR3) or a later patched version. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without specific knowledge of the attack patterns, restricting access to the OPCUA interface to trusted networks and users can reduce the attack surface. Regularly review and audit Command Centre database access logs for any suspicious activity. Implement stricter authentication and authorization controls for Command Centre Operators to limit the potential impact of a compromised account. After upgrading, confirm the fix by attempting to trigger the SQL injection vulnerability through the OPCUA interface and verifying that the input is properly sanitized.