Vulnerability Note VU#707254
UTC Fire & Security Master Clock contains hardcoded default administrator login credentials
Overview
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.
Description
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator. |
Impact
A remote, unauthenticated attacker can view and change system configuration files or other sensitive data. |
Solution
We are currently unaware of a practical solution to this problem. |
Restrict Access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| General Electric | Affected | 09 Jan 2012 | 06 Feb 2012 |
| UTC Fire & Security | Affected | 12 Jan 2012 | 06 Feb 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 5.3 | AV:N/AC:/Au:N/C:C/I:C/A:C |
| Temporal | 5.0 | E:H/RL:W/RC:C |
| Environmental | 1.3 | CDP:/TD:L/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Temple Murphy for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-1288
- Date Public: 20 Feb 2012
- Date First Published: 20 Feb 2012
- Date Last Updated: 23 Jul 2012
- Severity Metric: 34.20
- Document Revision: 24
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.