Log in to myMicrochip to access tools and benefits. Sign up in just one minute.
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
true
Vulnerability Details
Date of Disclosure: 2/25/2024
Affected Product: GridTime™ 3000 GNSS Time Server
- Vulnerability Type: Authorization
- CVE Identifier: CVE-2023-51718
- CVSS Score: 8.8
- Vulnerability Description:
- The GridTime 3000 GNSS time server web UI allows unauthenticated read access.
- Affected Versions:
- Firmware 1.0r0.03 through 1.0r3.0
- Vulnerability Status:
- Resolved in firmware release 1.0r4.00.
Risk Assessment
Exploitation of the vulnerability allows the attacker to read the potentially sensitive configuration details of the system.
Mitigation
Upgrade GridTime 3000 GNSS time server to the latest firmware.
Patch/Release Information
As of the firmware release 1.0r4.00, configuration information can no longer be accessed when an HTTP request is sent using an unauthenticated session ID.
Acknowledgements
Reported by Michael Messner and Benedikt Kühne from Siemens Energy
Recommendations
It is strongly recommended that all customers upgrade GridTime 3000 GNSS time servers to firmware version 1.0r4.00.