Vulnerability identifier: #VU54513
Vulnerability risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-916
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MX207
Hardware solutions /
Firmware
MX213
Hardware solutions /
Firmware
MX220
Hardware solutions /
Firmware
MC206
Hardware solutions /
Firmware
MC212
Hardware solutions /
Firmware
MC220
Hardware solutions /
Firmware
MH230
Hardware solutions /
Firmware
MC205
Hardware solutions /
Firmware
MC210
Hardware solutions /
Firmware
MH212
Hardware solutions /
Firmware
ME203
Hardware solutions /
Firmware
CS200
Hardware solutions /
Firmware
MP213
Hardware solutions /
Firmware
MP226
Hardware solutions /
Firmware
MPC240
Hardware solutions /
Firmware
MPC265
Hardware solutions /
Firmware
MPC270
Hardware solutions /
Firmware
MPC293
Hardware solutions /
Firmware
MPE270
Hardware solutions /
Firmware
CPC210
Hardware solutions /
Firmware
M-Base Operating System
Operating systems & Components /
Operating system
Vendor: Bachmann electronic GmbH
Description
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the affected M-Base Controllers use weak cryptography to protect device passwords. A remote administrator can gain access to the password hashes.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
MX207: All versions
MX213: All versions
MX220: All versions
MC206: All versions
MC212: All versions
MC220: All versions
MH230: All versions
MC205: All versions
MC210: All versions
MH212: All versions
ME203: All versions
CS200: All versions
MP213: All versions
MP226: All versions
MPC240: All versions
MPC265: All versions
MPC270: All versions
MPC293: All versions
MPE270: All versions
CPC210: All versions
M-Base Operating System: 1.06.14
External links
http://ics-cert.us-cert.gov/advisories/icsa-21-026-01-0
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.