Friday, October 25, 2024

CVE-2024-43685: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - Improper Authentication Vulnerability (Session Fixation)

The final finding from the analysis of the "TimeProvider 4100 Grandmaster" device revealed a Session Fixation vulnerability.

TimeProvider 4100 Grandmaster Device

The root of the issue lies in how the device manages user session cookies.

Specifically, the web interface issues a session cookie ci_session prior to user authentication, and this same cookie is retained and reused after login. The device does not regenerate the session identifier upon successful authentication, allowing a previously established session to become fully authenticated once a user logs in.

This creates a serious security risk: an attacker who can obtain or assign a session cookie to a victim before authentication can later hijack the session after the user logs in, without needing credentials.


Exploitation Steps

This vulnerability can be exploited through a Session Fixation attack using the following steps:

  1. The attacker initiates a session with the device and receives a valid ci_session cookie.

  2. The attacker sends the cookie to the victim, often through a phishing link or malicious iframe that sets the attacker-controlled session in the victim’s browser.

  3. The victim logs in to the device’s web interface while using the attacker-provided session.

  4. The session becomes authenticated—but the session ID has not changed, so the attacker can now reuse the same cookie to gain authenticated access as the victim.


Even after the user logs out, if the session is not properly invalidated server-side, the session may remain active or exploitable. 

Following the previously outlined details, the results of each step taken to exploit the vulnerability are presented below. The image illustrates a login request where the ci_session cookie is assigned an arbitrary value matching the length of the original session cookie:


After the login operation is completed, the device’s web server retains the same session cookie value. The following image illustrates this behavior during a request to the dashboard web resource:


 The image below demonstrates the outcome of this session hijacking attack: 


Key Proof-of-Concept Insight:

  • The attacker does not need to know the victim’s credentials.

  • They only need to ensure the victim authenticates using a session ID under the attacker’s control.


Recommended Mitigations:

  • Regenerate the session ID immediately upon successful login to ensure session isolation.

  • Invalidate session tokens upon logout and clear session data from memory.

  • Use secure cookie attributes (SecureHttpOnlySameSite) to reduce client-side exposure.

  • Monitor for reused or long-lived session IDs across IPs or geolocations.


Conclusion:

This vulnerability highlights a critical failure in session lifecycle management. By failing to regenerate session identifiers after login, the system is left open to session fixation attacks—making it possible for attackers to impersonate authenticated users without needing credentials.


Reporting Information:

CVE Identifier: CVE-2024-43685
CVSS Score: 8.7
Affected Versions: Firmware 1.0 through 2.4.7
Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43685
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Wednesday, October 16, 2024

CVE-2024-43687: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER DEVICE (BANNER) - STORED XSS

Carrying on with the analysis of the "TimeProvider 4100 grandmaster device", it was possible to find out a Stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. 


TimeProvider 4100 Grandmaster Device

The embedded webserver does not perform input sanitization on the "txtcustom" parameter and saves such value inside the database. Users able to visit the device web administration interface will find out the malicious JavaScript payload included in the related server responses and furthermore, it will be executed on the victim's browser. 

Exploitation Steps

  1. Authenticate to the device’s management web interface.

  2. Open the banner configuration panel.

  3. Select the "custom banner" feature.

  4. Insert the malicious JavaScript payload.

  5. Apply and save the system configuration containing the custom banner.

  6. Trigger execution by connect to the device's web management interfaceVictims connection action initiates execution of the injected javascript payload.

The following image shows an example of a request containing the malicious JavaScript payload:


Request RAW:
POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive

-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"

CUSTOMIZED

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="txtcustom"

[malicious JavaScript payload]

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--

# End

Payload execution on the victim’s browser:



By performing a login operation into the device SSH service, it is possible to view the injected malicious Javascript payload. Following an example of such connection:



Conclusion:

A threat actor that exploits this vulnerability is able to perform phishing attacks and session hijacking compromising in this way the confidentiality, integrity and availability of the device.

Reporting Information:

CVE Identifier: CVE-2024-43687
CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.