We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here
Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here
Complete your profile to access more resources.Update Here!
Item Qty
Your cart is empty.

CVE-2024-43683: TimeProvider® 4100 Grandmaster Improper Verification of the Host Header

Vulnerability Details

Date of Disclosure: 6/27/2024

Affected Product: TimeProvider® 4100 Grandmaster

  • Vulnerability Type: URL redirection to untrusted site
  • CVE Identifier: CVE-2024-43683
  • CVSS Score: 8.7 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/R:U/V:C/RE:M/U:Amber)
  • Vulnerability Description:
    •  The current web front-end does not properly verify the host header field
  • Affected Versions: 
    • Firmware 1.0 through 2.4.7
  • Vulnerability Status: 
    • Unresolved

Risk Assessment

Exploitation of the vulnerability could allow an attacker to redirect a user that is logged in to a untrusted site.

Mitigation

Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.

Acknowledgements

Reported by Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Recommendations

Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.