CVE-2020-16100

It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre services DCOM websocket thread due to improper shutdown of closed websocket connections, preventing it from accepting future DCOM websocket (Configuration Client) connections. Affected versions are v8.20 prior to v8.20.1166(MR3), v8.10 prior to v8.10.1211(MR5), v8.00 prior to v8.00.1228(MR6), all versions of 7.90 and earlier.

Weakness

The product does not release or incorrectly releases a resource before it is made available for re-use.

Affected Software

Name	Vendor	Start Version	End Version
Command_centre	Gallagher	8.00 (including)	8.00.1228 (excluding)
Command_centre	Gallagher	8.10 (including)	8.10.1211 (excluding)
Command_centre	Gallagher	8.20 (including)	8.20.1166 (excluding)
Command_centre	Gallagher	8.00.1228 (including)	8.00.1228 (including)
Command_centre	Gallagher	8.10.1211 (including)	8.10.1211 (including)
Command_centre	Gallagher	8.20.1166 (including)	8.20.1166 (including)

Potential Mitigations

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.

References

https://security.gallagher.com/Security-Advisories/CVE-2020-16100

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-16100
CWE	https://cwe.mitre.org/data/definitions/404.html

Improper Resource Shutdown or Release

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References