Executive Summary

Title UTC Fire & Security Master Clock contains hardcoded default administrator login credentials
Name VU#707254 First vendor Publication 2012-02-20
Vendor VU-CERT Last vendor Modification 2012-02-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#707254

UTC Fire & Security Master Clock contains hardcoded default administrator login credentials


UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.

I. Description

UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.

II. Impact

A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict Access
Do not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks.

Block Access to the Web Interface
Blocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.

Vendor Information

VendorStatusDate NotifiedDate Updated
General ElectricAffected2012-01-092012-02-06
UTC Fire & SecurityAffected2012-01-122012-02-06




Thanks to Temple Murphy for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2012-02-20
Date First Published:2012-02-20
Date Last Updated:2012-02-29
CERT Advisory: 
US-CERT Technical Alerts: 
Severity Metric:34.20
Document Revision:22

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/707254

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

Hardware 1