Overview
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.
Description
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator. |
Impact
A remote, unauthenticated attacker can view and change system configuration files or other sensitive data. |
Solution
We are currently unaware of a practical solution to this problem. |
Restrict Access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.3 | AV:N/AC:/Au:N/C:C/I:C/A:C |
| Temporal | 5 | E:H/RL:W/RC:C |
| Environmental | 1.3 | CDP:/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Temple Murphy for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2012-1288 |
| Severity Metric: | 34.20 |
| Date Public: | 2012-02-20 |
| Date First Published: | 2012-02-20 |
| Date Last Updated: | 2012-07-23 20:46 UTC |
| Document Revision: | 24 |