#VU54513 Use of Password Hash With Insufficient Computational Effort in Bachmann electronic GmbH products - CVE-2020-16231

Cybersecurity Help s.r.o.

Published: 2021-07-02

Vulnerability identifier: #VU54513

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16231

CWE-ID: CWE-916

Exploitation vector: Network

Exploit availability: No

Vendor: Bachmann electronic GmbH

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected M-Base Controllers use weak cryptography to protect device passwords. A remote administrator can gain access to the password hashes.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MX207: All versions

MX213: All versions

MX220: All versions

MC206: All versions

MC212: All versions

MC220: All versions

MH230: All versions

MC205: All versions

MC210: All versions

MH212: All versions

ME203: All versions

CS200: All versions

MP213: All versions

MP226: All versions

MPC240: All versions

MPC265: All versions

MPC270: All versions

MPC293: All versions

MPE270: All versions

CPC210: All versions

M-Base Operating System: 1.06.14

External links
https://ics-cert.us-cert.gov/advisories/icsa-21-026-01-0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use of Password Hash With Insufficient Computational Effort in Bachmann Electronic M1 System Processor Modules