Exploit
CVE-2024-9054

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Published: Oct 4, 2024 / Updated: 46d ago

010
CVSS 8.5EPSS 0.04%High
CVE info copied to clipboard

Summary

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been identified in Microchip TimeProvider 4100, specifically affecting the Configuration modules. This vulnerability allows for Command Injection attacks. The affected versions range from 1.0 up to, but not including, version 2.4.7 of TimeProvider 4100.

Impact

The impact of this vulnerability is severe, with a CVSS v4 base score of 8.5, categorized as HIGH severity. The vulnerability allows an attacker to execute arbitrary OS commands on the affected system, potentially leading to full system compromise. Additionally, it may expose sensitive information to unauthorized actors. The attack vector is network-based, requires low attack complexity, and can be automated, increasing the risk of widespread exploitation. While user interaction is required, the privileges needed are low, making it easier for an attacker to exploit. The vulnerability affects the confidentiality, integrity, and availability of the vulnerable system, all rated as HIGH impact.

Exploitation

One proof-of-concept exploit is available on gruppotim.it. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in TimeProvider 4100 version 2.4.7 and later versions.

Mitigation

1. Immediately update Microchip TimeProvider 4100 to version 2.4.7 or later. 2. If immediate patching is not possible, implement network segmentation to limit access to the affected systems. 3. Monitor for suspicious activities or unauthorized command executions on affected systems. 4. Implement strong input validation and sanitization mechanisms to prevent command injection attacks. 5. Apply the principle of least privilege to minimize the potential impact of successful exploitation. 6. Regularly audit and review system configurations and access controls. 7. Consider implementing additional security measures such as intrusion detection/prevention systems (IDS/IPS) to detect and block potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9054

Oct 4, 2024 at 8:15 PM
CVSS

A CVSS base score of 8.5 has been assigned.

Oct 4, 2024 at 8:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9054. See article

Oct 4, 2024 at 8:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 4, 2024 at 8:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.3%)

Oct 5, 2024 at 10:04 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 10, 2024 at 6:50 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 10, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Microchip/timeprovider_4100_firmware
+null more

Exploits

https://www.gruppotim.it/it/footer/red-team.html
+null more

Patches

www.microchip.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-116: Excavation
+null more

References

TimeProvider® 4100 Grandmaster RCE Through Configuration File
Date of Disclosure: 6/27/2024 Affected Product: TimeProvider ® 4100 Grandmaster Vulnerability Type : Remote code execution CVE Identifier : CVE-2024-9054 CVSS Score : 8.5 Vulnerability Description : The TimeProvider® 4100 grandmaster does not sanitize configuration parameters uploaded to it. Affected Versions: Firmware 1.0 through 2.4.7 Vulnerability Status: Resolved in firmware release 2.4.7

News

CVE-2024-9054 Exploit
CVE Id : CVE-2024-9054 Published Date: 2024-10-10T18:46:00+00:00 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. inTheWild added a link to an exploit: https://www.gruppotim.it/it/footer/red-team.html
cveNotify : 🚨 CVE-2024-9054Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.🎖@cveNotify
cveNotify : 🚨 CVE-2024-9054Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.🎖@cveNotify
CVE-2024-9054 | Microchip TimeProvider 4100 up to 2.4.6 Configuration Module os command injection
A vulnerability, which was classified as critical , has been found in Microchip TimeProvider 4100 up to 2.4.6 . Affected by this issue is some unknown functionality of the component Configuration Module . The manipulation leads to os command injection. This vulnerability is handled as CVE-2024-9054 . The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
NA - CVE-2024-9054 - Improper Neutralization of Special Elements...
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip...
CVE-2024-9054
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI