Log in to myMicrochip to access tools and benefits. Sign up in just one minute.
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
true
Vulnerability Details
Date of Disclosure: 2/25/2024
Affected Product: GridTime™ 3000 GNSS Time Server
- Vulnerability Type: URL redirection
- CVE Identifier: CVE-2024-23536
- CVSS Score: 8.8
- Vulnerability Description:
- The redirect URL parameter of the GridTime 3000 device’s local web server is prone to an open redirect vulnerability, which can be used to redirect users to arbitrary URLs and steal the relevant session token.
- Affected Versions:
- Firmware 1.0r0.03 through 1.0r3.0
- Vulnerability Status:
- Resolved in firmware release 1.0r4.00.
Risk Assessment
Exploitation of the vulnerability could allow an attacker to gain full access to the clock, allowing them to see potentially sensitive configuration details or interfere with the operation of the unit.
Mitigation
Upgrade GridTime 3000 device to the latest firmware.
Patch/Release Information
As of firmware release, 1.0r4.00, if the redirection URL is found to be invalid, the server will no longer grant an authentication token and prevent a user's access token from being intercepted by a third party.
Acknowledgements
Reported by Michael Messner and Benedikt Kühne from Siemens Energy.
Recommendations
It is strongly recommended that all customers upgrade GridTime 3000 devices to firmware version 1.0r4.00.