{"vuid":"VU#707254","idnumber":"707254","name":"UTC Fire & Security Master Clock contains hardcoded default administrator login credentials","keywords":["utc","ge security","master clock","hardcoded","credentials","GE-MC100-NTP","GPS-ZB","scada"],"overview":"UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.","clean_desc":"UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.","impact":"A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"Restrict Access\nDo not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks. Block Access to the Web Interface\nBlocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.","sysaffected":"","thanks":"Thanks to Temple Murphy for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["h","t","t","p",":","/","/","w","w","w",".","u","t","c","f","s","s","e","c","u","r","i","t","y","p","r","o","d","u","c","t","s",".","c","o","m","/","P","r","o","d","u","c","t","s","A","n","d","S","e","r","v","i","c","e","s","/","P","a","g","e","s","/","G","E","-","M","C","1","0","0","-","N","T","P","s","p","l","_","2","F","_","s","p","l","G","P","S","-","Z","B",".","a","s","p","x"],"cveids":["CVE-2012-1288"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-01-04T13:48:17Z","publicdate":"2012-02-20T00:00:00Z","datefirstpublished":"2012-02-20T13:09:10Z","dateupdated":"2012-07-23T20:46:30Z","revision":24,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"8","cam_exploitation":"0","cam_internetinfrastructure":"11","cam_population":"12","cam_impact":"20","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"34.2","cam_scorecurrentwidelyknown":"55.8","cam_scorecurrentwidelyknownexploited":"91.8","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5.3","cvss_basevector":"AV:N/AC:/Au:N/C:C/I:C/A:C","cvss_temporalscore":"5","cvss_environmentalscore":"1.3","cvss_environmentalvector":"CDP:/TD:L/CR:ND/IR:ND/AR:ND","metric":34.2,"vulnote":null}