CVE-2024-43686: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - REFLECTED CROSS-SITE SCRIPTING XSS

Coming across the administrative interface of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device. 

TimeProvider 4100 Grandmaster Device

There was a particular parameter channelId that resulted in reflecting its content in the embedded web server responses. Specifically, the request that deals with updating the charts.

Going forward in this way, after several attempts, it was possible to inject a JavaScript payload between <scripts> tags, resulting in a Reflected Cross-site Scripting Vulnerability. The following image shows an example of a request containing the malicious JavaScript payload:

Request RAW:

POST /get_chart_data HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: https://XXX.XXX.XXX.XXX
Referer: https://XXX.XXX.XXX.XXX/perfmon_t1e1_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1)%3c%2fscript%3easd

Payload execution on the victim’s browser:

Conclusion:

An unauthenticated user can insert JavaScript snippets in channelId parameter on the specified POST request to the web resource get_chart_data. In the worst case, attackers will be able to perform privileged operations by stealing administrative user’s session or gain access to sensitive information belonging to the user. 

 

Reporting Information:

CVE Identifier: CVE-2024-43686

CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-reflected-xss-vulnerability
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

CVE-2024-43684: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - CROSS-SITE REQUEST FORGERY (CSRF) - CWE-352

Proceeding with the analysis of the "TimeProvider 4100 grandmaster" device, it was possible to find out a Cross-Site Request Forgery (CSRF) vulnerability.

TimeProvider 4100 Grandmaster Device

The device’s web interface does not implement Anti-CSRF token, leaving it susceptible to malicious requests being submitted on behalf of an authenticated user.

CSRF attacks exploit the trust a web application places in a user’s browser. Without CSRF protections in place, an attacker can craft a malicious web page that, when visited by an authenticated user, silently sends unauthorized requests to the device—executing actions with the user’s privileges.

In this case, the vulnerability allows attackers to modify system parameters or UI elements without user consent. 

For example, the following proof-of-concept (PoC) demonstrates changing the web interface banner to display the text “CSRFATTACK”.

CSRF Attack PoC

Exploitation Steps

An attacker could exploit this vulnerability as follows:

1. The victim logs into the TimeProvider 4100 web interface and retains an active session.

2. The victim visits a malicious webpage crafted by the attacker.

3. The page contains hidden HTML or JavaScript code that issues an authenticated request to the device (e.g., modifying configuration or display elements).

4. The device processes the request, assuming it was legitimately issued by the user.

The following image shows the device's web interface banner modified as a result of the CSRF attack:

Recommended Mitigations:

• Implement anti-CSRF tokens in all state-changing HTTP requests to ensure they originate from legitimate sources.

• Use the SameSite attribute in cookies to reduce cross-origin request risks.

• Educate users to avoid visiting untrusted links while logged into administrative systems.

• Restrict access to the device’s web interface to only trusted networks and users.

Conclusion:

The lack of anti-CSRF protection in the TimeProvider 4100 introduces a significant security risk, especially in environments where the web interface is exposed to internal or external users. This vulnerability can lead to unauthorized configuration changes, potential system misuse, and undermines the integrity of user actions.

Reporting Information:

CVE Identifier: CVE-2024-43684

CVSS Score: 8.8
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684
Vendor Reference:https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-cross-site-request-forgery
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.