CVE-2024-43684: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - CROSS-SITE REQUEST FORGERY (CSRF) - CWE-352

Proceeding with the analysis of the "TimeProvider 4100 grandmaster" device, it was possible to find out a Cross-Site Request Forgery (CSRF) vulnerability.

TimeProvider 4100 Grandmaster Device

The device’s web interface does not implement Anti-CSRF token, leaving it susceptible to malicious requests being submitted on behalf of an authenticated user.

CSRF attacks exploit the trust a web application places in a user’s browser. Without CSRF protections in place, an attacker can craft a malicious web page that, when visited by an authenticated user, silently sends unauthorized requests to the device—executing actions with the user’s privileges.

In this case, the vulnerability allows attackers to modify system parameters or UI elements without user consent. 

For example, the following proof-of-concept (PoC) demonstrates changing the web interface banner to display the text “CSRFATTACK”.

CSRF Attack PoC

Exploitation Steps

An attacker could exploit this vulnerability as follows:

1. The victim logs into the TimeProvider 4100 web interface and retains an active session.

2. The victim visits a malicious webpage crafted by the attacker.

3. The page contains hidden HTML or JavaScript code that issues an authenticated request to the device (e.g., modifying configuration or display elements).

4. The device processes the request, assuming it was legitimately issued by the user.

The following image shows the device's web interface banner modified as a result of the CSRF attack:

Recommended Mitigations:

• Implement anti-CSRF tokens in all state-changing HTTP requests to ensure they originate from legitimate sources.

• Use the SameSite attribute in cookies to reduce cross-origin request risks.

• Educate users to avoid visiting untrusted links while logged into administrative systems.

• Restrict access to the device’s web interface to only trusted networks and users.

Conclusion:

The lack of anti-CSRF protection in the TimeProvider 4100 introduces a significant security risk, especially in environments where the web interface is exposed to internal or external users. This vulnerability can lead to unauthorized configuration changes, potential system misuse, and undermines the integrity of user actions.

Reporting Information:

CVE Identifier: CVE-2024-43684

CVSS Score: 8.8
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684
Vendor Reference:https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-cross-site-request-forgery
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.