DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices
| Our reference | DIVD-2024-00011 |
| Case lead | Frank Breedijk |
| Author | |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Do not expose your Enphase equipment to untrusted networks (e.g. the internet or a visitor network). If internet connectivity is needed, place the device behind a NAT gateway. |
| Patch status | Patches available |
| Status | Open |
| Last modified | 10 Aug 2024 19:57 CEST |
Summary
DIVD researchers Wietse Boonstra and Hidde Smit have discovered six critical vulnerabilities in Enphase IQ Gateway devices (formerly known as Enphase Envoy). The vulnerabilities are present in version 4.x to 8.x. Version 8.2.4225 and later are patched. The first three can be combined into an Unauthenticated Remote Command Execution attack. For older (v7.x and older) devices, the password may be a weak default or calculatable based on the serial number which can be remotely read (See CVE-2020-25754). With these vulnerabilities, attackers could take control over the Enphase IQ Gateway device.
What you can do
We recommend that you do not expose your Enphase IQ Gateway device to an untrusted network. As long as these vulnerabilities are unpatched, your device can be taken over remotely. We recommend that you do not (re)expose you device after it has been patched by Enphase, to protect against future vulnerabilities.
You cannot upgrade the firmware of the Envoy IQ Gateway yourself. This is managed by Enphase. Enphase has released patches for five of these vulnerabilities which has made exploitation of the remaining cve (CVE-2024-21878) impossible using any of the other CVEs.
What we are doing
DIVD has responsibly disclosed the vulnerability to Enphase, which has remediated the vulnerabilities. Now, DIVD is collaborating with Enphase to find vulnerable and exposed Envoy IQ Gateways worldwide in order to assist with the patching process.
Timeline
| Date | Description |
|---|---|
| 11 Apr 2024 | Wietse Boonstra and Hidde Smit report six vulnerabilities to DIVD CSIRT |
| 17 Apr 2024 | Vendor notified via email to cybersecurity (at) enphaseenergy.com and cybersecurity (at) enphase.com and via ticket 16059299 |
| 18 Apr 2024 | Vendor has acknowledge receipt of the vulnerability |
|
17 Apr 2024- 18 Apr 2024 |
Time to acknowledge |
| 18 Apr 2024 | 1st meeting between DIVD researchers and vendor |
|
18 Apr 2024- 12 Jul 2024 |
Time to patch |
|
18 Apr 2024- 12 Jul 2024 |
DIVD and Enphase work together |
| 12 Jul 2024 | Enphase reports that vulnerabilities are patched. Finders have validated the fixes. Enphase starts updating devices. |
| 12 Jul 2024 | DIVD starts scanning for vulnerable Envoy devices to assist with prioritizing patch process. |
|
18 Apr 2024- 10 Aug 2024 |
Time to limited disclosure |
| 10 Aug 2024 | Limited disclosure of CVEs by Enphase |
| 10 Aug 2024 | Limited disclosure of CVEs by DIVD following Enphase disclosure |
More information
- Enphase Advisories
- CVE-2024-21876 - Enphase Advisory for CVE-2024-21876
- CVE-2024-21877 - Enphase Advisory for CVE-2024-21877
- CVE-2024-21878 - Enphase Advisory for CVE-2024-21878
- CVE-2024-21879 - Enphase Advisory for CVE-2024-21879
- CVE-2024-21880 - Enphase Advisory for CVE-2024-21880
- CVE-2024-21881 - Enphase Advisory for CVE-2024-21881