UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.
A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.
We are currently unaware of a practical solution to this problem.
UTC Fire & Security
Thanks to Temple Murphy for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2012-02-20|
|Date Last Updated:||2012-07-23 20:46 UTC|