10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
71.2%
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.
UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.
A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.
We are currently unaware of a practical solution to this problem.
Restrict Access
Do not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks.
Block Access to the Web Interface
Blocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.
707254
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 09, 2012 Updated: February 06, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 12, 2012 Updated: February 06, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 5.3 | AV:N/AC:/Au:N/C:C/I:C/A:C |
Temporal | 5 | E:H/RL:W/RC:C |
Environmental | 1.3 | CDP:/TD:L/CR:ND/IR:ND/AR:ND |
<http://www.utcfssecurityproducts.com/ProductsAndServices/Pages/GE-MC100-NTPspl_2F_splGPS-ZB.aspx>
Thanks to Temple Murphy for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2012-1288 |
---|---|
Severity Metric: | 34.20 Date Public: |