CVE-2024-43685 - Vulnerability Details

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Microchip	Timeprovider 4100 Timeprovider 4100 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:microchip:timeprovider_4100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:microchip:timeprovider_4100:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.gruppotim.it/it/footer/red-team.html
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation

History

Thu, 17 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microchip timeprovider 4100
CPEs		cpe:2.3:h:microchip:timeprovider_4100:-:::::::*
Vendors & Products		Microchip timeprovider 4100
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 07 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microchip Microchip timeprovider 4100 Firmware
CPEs		cpe:2.3:o:microchip:timeprovider_4100_firmware::::::::
Vendors & Products		Microchip Microchip timeprovider 4100 Firmware
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 04 Oct 2024 20:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.
Title		Session token fixation in TimeProvider 4100
Weaknesses		CWE-287
References		https://www.gruppotim.it/it/footer/red-team.html https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/R:U/V:C/RE:M/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: Microchip

Published: 2024-10-04T19:48:53.595Z

Updated: 2024-10-04T22:15:46.343Z

Reserved: 2024-08-14T15:39:44.265Z

Link: CVE-2024-43685

Vulnrichment

Updated: 2024-10-04T21:28:30.623Z

NVD

Status : Analyzed

Published: 2024-10-04T20:15:06.830

Modified: 2024-10-17T15:17:20.217

Link: CVE-2024-43685

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object