We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here
Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here
Complete your profile to access more resources.Update Here!
0
$0.00
Item Qty
Your cart is empty.

CVE-2024-43686: TimeProvider® 4100 Grandmaster Reflected XSS Vulnerability

Vulnerability Details

Date of Disclosure: 6/27/2024

Affected Product: TimeProvider® 4100 Grandmaster

  • Vulnerability Type: Reflected XSS vulnerability
  • CVE Identifier: CVE-2024-43686
  • CVSS Score: 8.0
  • Vulnerability Description:
    • The TimeProvider® 4100 grandmaster has a reflected Cross-Site Scripting (XSS) vulnerability in the “get_chart_data” request.
  • Affected Versions: 
    • Firmware 1.0 through 2.4.7
  • Vulnerability Status: 
    • Resolved in firmware release 2.4.7

Risk Assessment

Exploitation of the vulnerability allows the attacker to execute arbitrary scripts in any user context.

Mitigation

Upgrade TimeProvider® 4100 grandmaster to the latest firmware.

Patch/Release Information

As of the firmware release 2.4.7, parameter sanitization has been improved to not allow execution of arbitrary script in the user context.

Acknowledgements

Reported by Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Recommendations

It is strongly recommended that all customers upgrade TimeProvider® 4100 grandmaster to firmware version 2.4.7 or newer.

It is important to note that the web interface is only available on a physically separate management port and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.