CVE-2016-9358
📋 TL;DR
This CVE describes a hard-coded password vulnerability in multiple Marel Food Processing Systems products where system passwords cannot be changed by end users. This allows attackers with knowledge of the default credentials to gain unauthorized access to industrial control systems. Affected systems include M3000/M3210 terminals, MAC4 controllers, SensorX X-ray machines, and MWS2 weighing systems across various food processing equipment.
💻 Affected Systems
- M3000 terminal
- M3210 terminal
- M3000 desktop software
- MAC4 controller
- SensorX23 X-ray machine
- SensorX25 X-ray machine
- MWS2 weighing system
- A320
- A325
- A371
- A520 Master
- A520 Slave
- A530
- A542
- A571
- Check Bin Grader
- FlowlineQC T376
- IPM3 Dual Cam v132
- IPM3 Dual Cam v139
- IPM3 Single Cam v132
- P520
- P574
- SensorX13 QC flow line
- SensorX23 QC Master
- SensorX23 QC Slave
- Speed Batcher
- T374
- T377
- V36
- V36B
- V36C
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial food processing systems allowing unauthorized control, production disruption, safety system manipulation, or introduction of contaminants into food products.
Likely Case
Unauthorized access to monitoring and control systems enabling production disruption, data theft, or manipulation of processing parameters.
If Mitigated
Limited impact if systems are properly segmented, monitored, and access controlled through network security measures.
🎯 Exploit Status
Exploitation requires only knowledge of hard-coded credentials, which may be discoverable through reverse engineering or leaked documentation. No special tools or skills needed beyond basic network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact vendor for specific firmware/software updates
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02
Restart Required: Yes
Instructions:
1. Contact Marel for updated firmware/software versions
2. Apply vendor-provided patches that allow password changes
3. Restart affected systems after patching
4. Change all default passwords to strong, unique credentials
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems in dedicated network segments with strict access controls
Access Control Lists
allImplement firewall rules to restrict access to only authorized management stations
🧯 If You Can't Patch
- Implement strict network segmentation and zero-trust architecture around affected systems
- Deploy network monitoring and intrusion detection specifically for ICS protocols and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if system uses default/hard-coded passwords that cannot be changed via user interfaceCheck Version:
Consult system documentation or vendor for version checking proceduresVerify Fix Applied:
Verify ability to change system passwords and confirm new credentials work while old defaults fail📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with default credentials
- Unusual access patterns to industrial control interfaces
- Authentication from unexpected IP addresses
Network Indicators:
- Unauthorized ICS protocol traffic
- Connection attempts to industrial system ports from non-management networks
- Traffic patterns indicating credential guessing
SIEM Query:
source_ip NOT IN (authorized_management_ips) AND (destination_port IN (industrial_ports) OR protocol IN (modbus, profinet, ethernet/ip)) AND auth_success = true