We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here

Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here

Complete your profile to access more resources.Update Here!

Item	Qty
Your cart is empty.

CVE-2024-43685: TimeProvider® 4100 Grandmaster Session Token Fixation

Vulnerability Details

Date of Disclosure: 6/27/2024

Affected Product: TimeProvider^® 4100 Grandmaster

Vulnerability Type: Session fixation
CVE Identifier: CVE-2024-43685
CVSS Score: 8.7
Vulnerability Description:
- The TimeProvider® 4100 grandmaster is vulnerable to session hijacking
Affected Versions:
- Firmware 1.0 through 2.4.7
Vulnerability Status:
- Resolved in firmware release 2.4.7

Risk Assessment

Exploitation of the vulnerability allows the attacker to hijack a user session if they are able to obtain a pre-login cookie.

Mitigation

Upgrade TimeProvider® 4100 grandmaster to the latest firmware.

Patch/Release Information

As of the firmware release 2.4.7, enhancements to the session management ensure that session tokens are securely handled, preventing attackers from hijacking user sessions by obtaining and using valid session tokens.

Acknowledgements

Reported by Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Recommendations

It is strongly recommended that all customers upgrade TimeProvider® 4100 grandmaster to firmware version 2.4.7 or newer.

It is important to note that the web interface is only available on a physically separate management port and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.