CVE-2021-23162 - OpenCVE

Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Gallagher	Command Centre Mobile Connect

Configuration 1 [-]

OR	cpe:2.3:a:gallagher:command_centre_mobile_connect::::::android::*
	cpe:2.3:a:gallagher:command_centre_mobile_connect::::::android::*

References

Link	Resource
https://security.gallagher.com/Security-Advisories/CVE-2021-23162	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Gallagher

Published: 2021-11-15T00:00:00

Updated: 2021-11-18T17:59:11

Reserved: 2021-01-26T00:00:00

Link: CVE-2021-23162

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-18T18:15:08.467

Modified: 2021-11-23T14:58:13.773

Link: CVE-2021-23162

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Command Centre Mobile Connect for Android", "vendor": "Gallagher", "versions": [{"lessThanOrEqual": "14", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "15.04.040", "status": "affected", "version": "15", "versionType": "custom"}]}], "datePublic": "2021-11-15T00:00:00", "descriptions": [{"lang": "en", "value": "Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-296", "description": "CWE-296 Improper Following of a Certificate's Chain of Trust", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-18T17:59:11", "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23162"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "disclosures@gallagher.com", "DATE_PUBLIC": "2021-11-15T07:34:00.000Z", "ID": "CVE-2021-23162", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Command Centre Mobile Connect for Android", "version": {"version_data": [{"version_affected": "<", "version_name": "15", "version_value": "15.04.040"}, {"version_affected": "<=", "version_value": "14"}]}}]}, "vendor_name": "Gallagher"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-296 Improper Following of a Certificate's Chain of Trust"}]}]}, "references": {"reference_data": [{"name": "https://security.gallagher.com/Security-Advisories/CVE-2021-23162", "refsource": "MISC", "url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23162"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "assignerShortName": "Gallagher", "cveId": "CVE-2021-23162", "datePublished": "2021-11-15T00:00:00", "dateReserved": "2021-01-26T00:00:00", "dateUpdated": "2021-11-18T17:59:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallagher:command_centre_mobile_connect:*:*:*:*:*:android:*:*", "matchCriteriaId": "6F624BDF-58DA-430C-8C71-B500C544C769", "versionEndIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre_mobile_connect:*:*:*:*:*:android:*:*", "matchCriteriaId": "C7013DFC-5C67-404C-ADF3-842C62B47B35", "versionEndExcluding": "15.04.040", "versionStartIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions."}, {"lang": "es", "value": "Una comprobaci\u00f3n inapropiada de la cadena de certificados de la nube en Mobile Connect permite que un ataque de tipo man-in-the-middle se haga pasar por el servidor leg\u00edtimo del Centro de mando. Este problema afecta a: Gallagher Command Centre Mobile Connect para Android versiones 15 anteriores a 15.04.040; versi\u00f3n 14 y anteriores."}], "id": "CVE-2021-23162", "lastModified": "2021-11-23T14:58:13.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "disclosures@gallagher.com", "type": "Secondary"}]}, "published": "2021-11-18T18:15:08.467", "references": [{"source": "disclosures@gallagher.com", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23162"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-296"}], "source": "disclosures@gallagher.com", "type": "Secondary"}]}