Cybersecurity

ENSA-2024-6: Upload of Encrypted Packages Allows Authenticated Command Execution in Enphase IQ Gateway (IQ Gateway 4.x.x and 5.x.x)

Advisory ID:
ENSA-2024-6

CVSSv3:
8.6

Issue date:
2024-08-10

Updated on:
2024-08-10 (initial advisory)

CVE(s): 
CVE-2024-21881

Synopsis: 
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway allows OS Command Injection. This issue affects IQ Gateway versions 4.x.x and 5.x.x.


1. Impacted product

Enphase IQ Gateway 4.x.x and 5.x.x.

2. Introduction

Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.

3. Summary

Description:
Enphase IQ Gateway 4.x.x and 5.x.x have inadequate encryption strength allowing an authenticated attacker to execute arbitrary OS commands via encrypted package upload when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Resolution:
Upgrading the Enphase IQ Gateway embedded software to 8.2.4225 or newer.

Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.

Additional documentation:
None.

Acknowledgments:
Enphase would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.

Notes:
None.

4. References

Enphase IQ Gateway software release notes (8.2.4225)

5. Change log

2024-08-10 ENSA-2024-6: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center