Use of Password Hash With Insufficient Computational Effort in Bachmann Electronic M1 System Processor Modules



Published: 2021-07-02
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-16231
CWE-ID CWE-916
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		MX207
Hardware solutions / Firmware

MX213
Hardware solutions / Firmware

MX220
Hardware solutions / Firmware

MC206
Hardware solutions / Firmware

MC212
Hardware solutions / Firmware

MC220
Hardware solutions / Firmware

MH230
Hardware solutions / Firmware

MC205
Hardware solutions / Firmware

MC210
Hardware solutions / Firmware

MH212
Hardware solutions / Firmware

ME203
Hardware solutions / Firmware

CS200
Hardware solutions / Firmware

MP213
Hardware solutions / Firmware

MP226
Hardware solutions / Firmware

MPC240
Hardware solutions / Firmware

MPC265
Hardware solutions / Firmware

MPC270
Hardware solutions / Firmware

MPC293
Hardware solutions / Firmware

MPE270
Hardware solutions / Firmware

CPC210
Hardware solutions / Firmware

M-Base Operating System
Operating systems & Components / Operating system

Vendor Bachmann electronic GmbH

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of Password Hash With Insufficient Computational Effort

EUVDB-ID: #VU54513

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-16231

CWE-ID: CWE-916 - Use of Password Hash With Insufficient Computational Effort

Exploit availability: No

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected M-Base Controllers use weak cryptography to protect device passwords. A remote administrator can gain access to the password hashes.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MX207: All versions

MX213: All versions

MX220: All versions

MC206: All versions

MC212: All versions

MC220: All versions

MH230: All versions

MC205: All versions

MC210: All versions

MH212: All versions

ME203: All versions

CS200: All versions

MP213: All versions

MP226: All versions

MPC240: All versions

MPC265: All versions

MPC270: All versions

MPC293: All versions

MPE270: All versions

CPC210: All versions

M-Base Operating System: 1.06.14

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-026-01-0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###