Vulnerability Details : CVE-2020-16231
The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.
Products affected by CVE-2020-16231
- cpe:2.3:o:bachmann:mx207_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mx213_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mx220_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mc206_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mc212_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mc220_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mh230_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mc205_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mc210_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mh212_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:me203_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:cs200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mp213_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mp226_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mpc240_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mpc265_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mpc270_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mpc293_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:mpe270_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bachmann:cpc210_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-16231
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-16231
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
ICS-CERT | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-16231
-
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-16231
-
https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02
All Bachmann M1 System Processor Modules | CISAThird Party Advisory;US Government Resource
Jump to