Vulnerability Note VU#707254

UTC Fire & Security Master Clock contains hardcoded default administrator login credentials

Overview

UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.

I. Description

UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.

II. Impact

A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict Access
Do not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks.

Block Access to the Web Interface
Blocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.

Vendor Information

Vendor	Status	Date Notified	Date Updated
General Electric	Affected	2012-01-09	2012-02-06
UTC Fire & Security	Affected	2012-01-12	2012-02-06

References

http://www.utcfssecurityproducts.com/ProductsAndServices/Pages/GE-MC100-NTPspl_2F_splGPS-ZB.aspx

Credit

Thanks to Temple Murphy for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:	2012-02-20
Date First Published:	2012-02-20
Date Last Updated:	2012-02-29
CERT Advisory:
CVE-ID(s):	CVE-2012-1288
NVD-ID(s):	CVE-2012-1288
US-CERT Technical Alerts:
Severity Metric:	34.20
Document Revision:	22

---

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify