Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:707254
HistoryFeb 20, 2012 - 12:00 a.m.

UTC Fire & Security Master Clock contains hardcoded default administrator login credentials

2012-02-2000:00:00
www.kb.cert.org
20

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

71.2%

JSON

Overview

UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.

Description

UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.

Impact

A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Access
Do not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks.

Block Access to the Web Interface
Blocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.

Vendor Information

707254

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

General Electric Affected

Notified: January 09, 2012 Updated: February 06, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

UTC Fire & Security Affected

Notified: January 12, 2012 Updated: February 06, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.3 AV:N/AC:/Au:N/C:C/I:C/A:C
Temporal 5 E:H/RL:W/RC:C
Environmental 1.3 CDP:/TD:L/CR:ND/IR:ND/AR:ND

References

<http://www.utcfssecurityproducts.com/ProductsAndServices/Pages/GE-MC100-NTPspl_2F_splGPS-ZB.aspx&gt;

Acknowledgements

Thanks to Temple Murphy for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1288
Severity Metric: 34.20 Date Public:

Related

nvd 1
cvelist 1
prion 1
cve 1
nvd
nvd
CVE-2012-1288
2012-02-23 12:33:55
cvelist
cvelist
CVE-2012-1288
2022-10-03 16:15:25
prion
prion
Hardcoded credentials
2012-02-23 12:33:00
cve
cve
CVE-2012-1288
2022-10-03 16:15:25

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

71.2%

JSON
Related for VU:707254
nvd1cvelist1prion1cve1