CVE-2024-43685

Session token fixation in TimeProvider 4100

Description

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Remediation

Workaround:

It is important to note that the web interface is only available on a physically separate management port and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.

References

Link	Tags
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation	vendor advisory
https://www.gruppotim.it/it/footer/red-team.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-43685?: CVE-2024-43685 has been scored as a high severity vulnerability.
How to fix CVE-2024-43685?: As a workaround for remediating CVE-2024-43685: It is important to note that the web interface is only available on a physically separate management port and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitations.
Is CVE-2024-43685 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-43685 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-43685?: CVE-2024-43685 affects Microchip TimeProvider 4100.

Description

Remediation

Categories

CWE-613 – Insufficient Session Expiration

CWE-287 – Improper Authentication

References

Frequently Asked Questions