We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here
Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here
Complete your profile to access more resources.Update Here!
0
$0.00
Item Qty
Your cart is empty.

CVE-2024-43884: TimeProvider® 4100 Grandmaster Cross-Site Request Forgery (CSRF)

Vulnerability Details

Date of Disclosure: 6/27/2024

Affected Product: TimeProvider® 4100 Grandmaster

  • Vulnerability Type: Cross-Site Request Forgery (CSRF)
  • CVE Identifier: CVE-2024-43684
  • CVSS Score: 8.8 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/R:U/V:C/RE:M/U:Amber)
  • Vulnerability Description:
    • The current web front-end does not support anti-CSRF tokens. This issue is mitigated by configuring the SameSite attribute to “Strict” for the ci_session token.
  • Affected Versions: 
    • Firmware 1.0 through 2.4.7
  • Vulnerability Status: 
    • Unresolved

Risk Assessment

Exploitation of the vulnerability could allow an end user to execute malicious actions inadvertently against the application on behalf of an attacker.

Mitigation

Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.

Acknowledgements

Reported by Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Recommendations

Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.