Microchip Time Provider 4100 Unsigned Upgrade Vulnerability Allowing Malicious Software Modification
Vulnerability
A vulnerability in Microchip Time Provider 4100 GNSS Grandmaster, all versions prior to 2.5, allows for unauthorized modifications during software updates. The issue arises because the upgrade package is not signed with asymmetric encryption, enabling a malicious user to tamper with and install arbitrary filesystems. Exploitation would require physical access to the device to extract the root password and access the symmetric key used for upgrades, making this a complex and costly attack.
Impact
Exploitation could lead to unauthorized modification of the device's filesystem, allowing for potentially malicious changes to the system's operation or integrity.
Remediation
It is recommended to upgrade to the latest firmware version when available. Currently, upgrades can be managed through a separate port that should not be connected to untrusted networks, with access controls available to restrict updates to trusted addresses.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.