Vulnerability Note VU#707254
UTC Fire & Security Master Clock contains hardcoded default administrator login credentials
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.
A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|General Electric||Affected||09 Jan 2012||06 Feb 2012|
|UTC Fire & Security||Affected||12 Jan 2012||06 Feb 2012|
CVSS Metrics (Learn More)
Thanks to Temple Murphy for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2012-1288
- Date Public: 20 Feb 2012
- Date First Published: 20 Feb 2012
- Date Last Updated: 23 Jul 2012
- Severity Metric: 34.20
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.