CVE-2020-7233
📋 TL;DR
KMS Controls BAC-A1616BC BACnet devices contain a hardcoded backdoor password 'snowman' in their authentication system. This allows attackers to bypass authentication and gain administrative access to building automation systems. Organizations using these specific BACnet devices for HVAC, lighting, or other building controls are affected.
💻 Affected Systems
- KMS Controls BAC-A1616BC BACnet Controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of building automation systems, potentially manipulating HVAC, lighting, security systems, or causing physical damage to equipment through unauthorized control.
Likely Case
Unauthorized access to building management systems allowing surveillance of building operations, manipulation of environmental controls, or disruption of building services.
If Mitigated
Limited impact if devices are isolated on separate networks with strict access controls and monitoring, though the backdoor remains accessible to anyone with network access.
🎯 Exploit Status
The backdoor password is publicly documented and requires no special tools or skills to exploit - attackers simply need network access and knowledge of the password.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Contact KMS Controls for firmware updates or replacement options.
🔧 Temporary Workarounds
Network Segmentation
allIsolate BACnet devices on separate VLANs with strict firewall rules preventing external access
Access Control Lists
allImplement strict network ACLs allowing only authorized BACnet traffic from trusted sources
🧯 If You Can't Patch
- Physically disconnect affected devices from any network with internet connectivity
- Implement 24/7 monitoring of BACnet traffic for authentication attempts using the 'snowman' password
🔍 How to Verify
Check if Vulnerable:
Examine BC_Logon.swf file on the device for BACKDOOR_NAME variable containing 'snowman' password, or attempt authentication using 'snowman' as passwordCheck Version:
Check device firmware version through BACnet interface or device management consoleVerify Fix Applied:
Verify that authentication with 'snowman' password no longer works and that BACKDOOR_NAME variable has been removed or changed in BC_Logon.swf📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with unusual timing
- Multiple authentication attempts from single source
Network Indicators:
- BACnet authentication packets containing 'snowman' string
- Unusual BACnet traffic patterns or commands
SIEM Query:
source="bacnet_traffic" AND (password="snowman" OR auth_string="snowman")