Executive Summary
Summary | |
---|---|
Title | UTC Fire & Security Master Clock contains hardcoded default administrator login credentials |
Informations | |||
---|---|---|---|
Name | VU#707254 | First vendor Publication | 2012-02-20 |
Vendor | VU-CERT | Last vendor Modification | 2012-02-29 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#707254UTC Fire & Security Master Clock contains hardcoded default administrator login credentialsOverviewUTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.I. DescriptionUTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.II. ImpactA remote, unauthenticated attacker can view and change system configuration files or other sensitive data.III. SolutionWe are currently unaware of a practical solution to this problem.Restrict Access
Referenceshttp://www.utcfssecurityproducts.com/ProductsAndServices/Pages/GE-MC100-NTPspl_2F_splGPS-ZB.aspx CreditThanks to Temple Murphy for reporting this vulnerability. This document was written by Michael Orlando. Other Information
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify |
Original Source
Url : http://www.kb.cert.org/vuls/id/707254 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Hardware | 1 |