La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2024-43684

CVE-2024-43684 – Microchip TP4100

Vulnerability Description: Cross-Site Request Forgery (CSRF)– CWE-352

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684

CVSS: 8.8

Severity: High

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device does not implement an Anti-CSRF token to protect the device against potential cross site request forgery attack.

 

Step-by-step instructions and PoC

Below are the evidences with the vulnerability details and the payloads used.

The device doesn’t implement protection against Cross-Site Request Forgery (CSRF). The user could be tricked by an attacker into making an unintentional request to the web server which will be treated as an authentic request. Here the PoC used to trick the user: the message showed in the banner will be changed into ‘CSRFATTACK’.

Figure 18: Banner html

Click To Enlarge

After the user submit the request using the PoC, the banner is actually changed.

Figure 19: Banner

Click To Enlarge

Security Impact

An attacker could effectively perform any operations as the victim. These may include: obtaining complete control over the web application, deleting or stealing data. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.