We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here

Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here

Complete your profile to access more resources.Update Here!

Item	Qty
Your cart is empty.

CVE-2024-9054: TimeProvider® 4100 Grandmaster RCE Through Configuration File

Vulnerability Details

Date of Disclosure: 6/27/2024

Affected Product: TimeProvider^® 4100 Grandmaster

Vulnerability Type: Remote code execution
CVE Identifier: CVE-2024-9054
CVSS Score: 8.5
Vulnerability Description:
- The TimeProvider® 4100 grandmaster does not sanitize configuration parameters uploaded to it.
Affected Versions:
- Firmware 1.0 through 2.4.7
Vulnerability Status:
- Resolved in firmware release 2.4.7

Risk Assessment

Exploitation of the vulnerability allows the attacker to execute arbitrary commands on the system if they have the right to upload new configurations.

Mitigation

Upgrade TimeProvider® 4100 grandmaster to the latest firmware.

Patch/Release Information

As of the firmware release 2.4.7, parameter sanitization of the configuration parameters has been improved to not allow execution of unauthorized commands.

Acknowledgements

Reported by Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Recommendations

It is strongly recommended that all customers upgrade TimeProvider® 4100 grandmaster to firmware version 2.4.7 or newer.

It is important to note that the web interface is only available on a physically separate management port and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.