CVE-2020-16231 — HIGH (7.2)

Vulnerability Description

The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Bachmann	Mx207 Firmware	>= 1.06.14
Bachmann	Mx207	-
Bachmann	Mx213 Firmware	>= 1.06.14
Bachmann	Mx213	-
Bachmann	Mx220 Firmware	>= 1.06.14
Bachmann	Mx220	-
Bachmann	Mc206 Firmware	>= 1.06.14
Bachmann	Mc206	-
Bachmann	Mc212 Firmware	>= 1.06.14
Bachmann	Mc212	-
Bachmann	Mc220 Firmware	>= 1.06.14
Bachmann	Mc220	-
Bachmann	Mh230 Firmware	>= 1.06.14
Bachmann	Mh230	-
Bachmann	Mc205 Firmware	>= 1.06.14
Bachmann	Mc205	-
Bachmann	Mc210 Firmware	>= 1.06.14
Bachmann	Mc210	-
Bachmann	Mh212 Firmware	>= 1.06.14
Bachmann	Mh212	-

Related Weaknesses (CWE)

CWE-916

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02Third Party AdvisoryUS Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2020-16231?

CVE-2020-16231 is a vulnerability with a CVSS score of 7.2 (HIGH). The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207...

How severe is CVE-2020-16231?

CVE-2020-16231 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-16231?

Check the references section above for vendor advisories and patch information. Affected products include: Bachmann Mx207 Firmware, Bachmann Mx207, Bachmann Mx213 Firmware, Bachmann Mx213, Bachmann Mx220 Firmware.