All Bachmann M1 System Processor Modules

Monitor7.2ICS-CERT ICSA-21-026-02Jan 26, 2021

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Bachmann M1 System Processor Modules (MX207, MX213, MX220, MC206, MC212, MC220, MH230) with MSYS v1.06.14 and later contain a vulnerability that allows an unauthenticated remote attacker to gain access to password hashes of the controller if Security Level 4 is not enabled. If Security Level 4 is properly configured, an authenticated remote attacker could still extract user credentials. The vulnerability affects the default security configuration and authentication mechanisms of these industrial controllers.

What this means

What could happen

An attacker with network access could steal password hashes or user credentials from your M1 controllers, potentially gaining access to modify process settings, setpoints, or stop production. This is especially critical if controllers are configured with the default insecure settings instead of Security Level 4.

Who's at risk

Water utilities and municipal electric operators using Bachmann M1 hardware controllers (MX207, MX213, MX220, MC206, MC212, MC220, MH230) for process control, supervisory functions, or automation should assess their deployment. This is especially critical for sites where these controllers manage pumping, distribution, generation, or safety-critical processes and are accessible from maintenance networks or remote management systems.

How it could be exploited

An unauthenticated attacker on the network sends requests to the M1 controller to extract password hashes stored on the device. If the controller is running with Security Level 4 enabled, the attacker would first need valid credentials to authenticate, then could extract additional user credentials. The attacker could then use these credentials to gain control of the controller and modify industrial process operations.

Prerequisites

Network access to the M1 controller (for unauthenticated hash extraction)
M1 controller running MSYS v1.06.14 or later without Security Level 4 enabled (for unauthenticated exploitation)
Valid controller credentials (required if Security Level 4 is properly configured)

Remotely exploitable over the networkNo authentication required for unauthenticated exploitation (hash extraction)Low complexity attackDefault credentials and insecure settings enable exploitationNo patch available for some deploymentsAffects legacy systems (no fix for MSYS v1.06.14 and later)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

M1 Hardware Controllers MX207 MX213 MX220 MC206 MC212 MC220 MH230: Operating Systems and Middleware≥ MSYS v1.06.14No fix yet

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGEnable Security Level 4 on all M1 controllers to enforce TLS-protected communication and disable insecure services (Telnet, FTP, Console access)

HARDENINGChange the default username and password in the Bachmann login handler for all field-deployed controllers

HARDENINGRestrict network access to M1 controllers—only allow traffic from authorized engineering workstations, HMI systems, and management networks; block direct Internet access

WORKAROUNDDisable all insecure protocols (Telnet, FTP) on M1 controllers and use only TLS-encrypted management channels

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to Bachmann Version 4.49-P1 (item number 00036634-90) or Version 3.95R-P8 via your OEM, reseller, or Bachmann technical support

Long-term hardening

0/2

HARDENINGConfigure M1 controllers to use an external authentication handler (LDAP, Radius, or Active Directory) instead of the default Bachmann authentication

HARDENINGRestrict physical access to M1 controllers to authorized maintenance personnel only

CVEs (1)

CVE-2020-16231

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4f4d4b4a-e0dd-484f-ac50-35ec8009d556