![]() |
TimeProvider 4100 Grandmaster Device |
The root of the issue lies in how the device manages user session cookies.
Specifically, the web interface issues a session cookie ci_session prior to user authentication, and this same cookie is retained and reused after login. The device does not regenerate the session identifier upon successful authentication, allowing a previously established session to become fully authenticated once a user logs in.
This creates a serious security risk: an attacker who can obtain or assign a session cookie to a victim before authentication can later hijack the session after the user logs in, without needing credentials.
Exploitation Steps
This vulnerability can be exploited through a Session Fixation attack using the following steps:
The attacker initiates a session with the device and receives a valid ci_session cookie.
The attacker sends the cookie to the victim, often through a phishing link or malicious iframe that sets the attacker-controlled session in the victim’s browser.
The victim logs in to the device’s web interface while using the attacker-provided session.
The session becomes authenticated—but the session ID has not changed, so the attacker can now reuse the same cookie to gain authenticated access as the victim.
Key Proof-of-Concept Insight:
The attacker does not need to know the victim’s credentials.
They only need to ensure the victim authenticates using a session ID under the attacker’s control.
Recommended Mitigations:
Regenerate the session ID immediately upon successful login to ensure session isolation.
Invalidate session tokens upon logout and clear session data from memory.
Use secure cookie attributes (Secure, HttpOnly, SameSite) to reduce client-side exposure.
Monitor for reused or long-lived session IDs across IPs or geolocations.
This vulnerability highlights a critical failure in session lifecycle management. By failing to regenerate session identifiers after login, the system is left open to session fixation attacks—making it possible for attackers to impersonate authenticated users without needing credentials.
Reporting Information:
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43685
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.