Details of VAR-201202-0344

ID

VAR-201202-0344

CVE

CVE-2012-1288

TITLE

UTC Fire & Security GE-MC100-NTP/GPS-ZB Trust Management Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2012-9011 // CNNVD: CNNVD-201202-443

DESCRIPTION

The UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock device uses hardcoded credentials for an administrative account, which makes it easier for remote attackers to obtain access via an HTTP session. UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator. A remote attacker could exploit the vulnerability to gain access via an HTTP session. Successful exploits will result in the complete compromise of the affected device. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock Default Account Security Issue SECUNIA ADVISORY ID: SA48037 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48037/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48037 RELEASE DATE: 2012-02-23 DISCUSS ADVISORY: http://secunia.com/advisories/48037/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48037/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48037 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Temple Murphy ORIGINAL ADVISORY: US-CERT (VU#707254): http://www.kb.cert.org/vuls/id/707254 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.24

sources: NVD: CVE-2012-1288 // CERT/CC: VU#707254 // JVNDB: JVNDB-2012-001565 // CNVD: CNVD-2012-9011 // BID: 52083 // PACKETSTORM: 110153

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2012-9011

AFFECTED PRODUCTS

vendor:	utc	model:	fire \& security ge-mc100-ntp\/gps-zb master clock device	scope:	eq	version:	-	Trust: 1.6
vendor:	general electric	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	utc fire security	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	utc fire security	model:	ge-mc100-ntp/gps-zb	scope:	eq	version:	master clock	Trust: 0.8
vendor:	utcfireandsecurity	model:	clock	scope:	-	version:	-	Trust: 0.6
vendor:	utc	model:	fire & security ge-mc100-ntp/gps-zb	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#707254 // CNVD: CNVD-2012-9011 // BID: 52083 // JVNDB: JVNDB-2012-001565 // CNNVD: CNNVD-201202-443 // NVD: CVE-2012-1288

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-1288
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#707254
value:	34.20
Trust: 0.8
NVD:	CVE-2012-1288
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2012-9011
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201202-443
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2012-1288
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2012-9011
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CERT/CC: VU#707254 // CNVD: CNVD-2012-9011 // JVNDB: JVNDB-2012-001565 // CNNVD: CNNVD-201202-443 // NVD: CVE-2012-1288

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2012-001565 // NVD: CVE-2012-1288

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-443

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201202-443

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001565

PATCH

title:

GE-MC100-NTP/GPS-ZB

url:

http://www.utcfssecurityproducts.com/ProductsAndServices/Pages/GE-MC100-NTPspl_2F_splGPS-ZB.aspx

Trust: 0.8

sources: JVNDB: JVNDB-2012-001565

EXTERNAL IDS

db:	CERT/CC	id:	VU#707254	Trust: 3.6
db:	NVD	id:	CVE-2012-1288	Trust: 3.3
db:	JVNDB	id:	JVNDB-2012-001565	Trust: 0.8
db:	CNVD	id:	CNVD-2012-9011	Trust: 0.6
db:	NSFOCUS	id:	18841	Trust: 0.6
db:	CNNVD	id:	CNNVD-201202-443	Trust: 0.6
db:	BID	id:	52083	Trust: 0.3
db:	SECUNIA	id:	48037	Trust: 0.2
db:	PACKETSTORM	id:	110153	Trust: 0.1

sources: CERT/CC: VU#707254 // CNVD: CNVD-2012-9011 // BID: 52083 // JVNDB: JVNDB-2012-001565 // PACKETSTORM: 110153 // CNNVD: CNNVD-201202-443 // NVD: CVE-2012-1288

REFERENCES

url:	http://www.kb.cert.org/vuls/id/707254	Trust: 2.8
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1288	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu707254	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-1288	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/search-results?query=cve-2012-1288	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/18841	Trust: 0.6
url:	http://www.utcfssecurityproducts.com/productsandservices/pages/ge-mc100-ntpspl_2f_splgps-zb.aspx	Trust: 0.3
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://www.rsaconference.com/events/2012/usa/index.htm	Trust: 0.1
url:	http://secunia.com/advisories/48037/#comments	Trust: 0.1
url:	http://secunia.com/advisories/48037/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=48037	Trust: 0.1

sources: CERT/CC: VU#707254 // CNVD: CNVD-2012-9011 // BID: 52083 // JVNDB: JVNDB-2012-001565 // PACKETSTORM: 110153 // CNNVD: CNNVD-201202-443 // NVD: CVE-2012-1288

CREDITS

Temple Murphy

Trust: 0.3

sources: BID: 52083

SOURCES

db:	CERT/CC	id:	VU#707254
db:	CNVD	id:	CNVD-2012-9011
db:	BID	id:	52083
db:	JVNDB	id:	JVNDB-2012-001565
db:	PACKETSTORM	id:	110153
db:	CNNVD	id:	CNNVD-201202-443
db:	NVD	id:	CVE-2012-1288

LAST UPDATE DATE

2025-04-11T23:08:51.917000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#707254	date:	2012-07-23T00:00:00
db:	CNVD	id:	CNVD-2012-9011	date:	2012-02-24T00:00:00
db:	BID	id:	52083	date:	2012-02-24T17:50:00
db:	JVNDB	id:	JVNDB-2012-001565	date:	2012-02-24T00:00:00
db:	CNNVD	id:	CNNVD-201202-443	date:	2012-03-13T00:00:00
db:	NVD	id:	CVE-2012-1288	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#707254	date:	2012-02-20T00:00:00
db:	CNVD	id:	CNVD-2012-9011	date:	2012-02-24T00:00:00
db:	BID	id:	52083	date:	2012-02-20T00:00:00
db:	JVNDB	id:	JVNDB-2012-001565	date:	2012-02-23T00:00:00
db:	PACKETSTORM	id:	110153	date:	2012-02-23T09:47:13
db:	CNNVD	id:	CNNVD-201202-443	date:	2012-02-24T00:00:00
db:	NVD	id:	CVE-2012-1288	date:	2012-02-23T12:33:55.470