CVE-2024-21876

Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225

CVE

CVE-2024-21876

Title

Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225

Case

DIVD-2024-00011

Credits

Wietse Boonstra of DIVD (finder)
Hidde Smit of DIVD (finder)
Frank Breedijk of DIVD (analyst)
Max van der Horst of DIVD (analyst)

Affected products

Product	Affected	Unaffected
Enphase IQ Gateway	>= 8.0 to < 8.2.4225 (semver)
	= 7.x (semver)
	= 6.x (semver)
	= 5.x (semver)
	= 4.x (semver)
		everything else

CVSS

Scenario 1 : GENERAL

Base score	9.3 - CRITICAL
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Availability Impact
Vulnerable system	NONE	Subsequent systems	NONE
Safety impact	NEGLIGIBLE
Automatable	YES
Recovery	NOT_DEFINED
Value Density	DIFFUSE
Vulnerability Response effort	HIGH
Provider Urgency	NOT_DEFINED

Scenario 2 : Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878

Base score	9.2 - CRITICAL
Attack Vector	NETWORK
Attack Complexity>	HIGH
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Availability Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Safety impact	PRESENT
Automatable	YES
Recovery	IRRECOVERABLE
Value Density	CONCENTRATED
Vulnerability Response effort	HIGH
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2024-21876 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2024-00011 ( related )
https://enphase.com/cybersecurity/advisories/ensa-2024-1 ( vendor-advisory )

Problem type(s)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact(s)

CAPEC-165 File Manipulation

Date published

10 Aug 2024 17:00 UTC

Last modified

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.

This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.

Workaround(s)

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

Solution(s)

Devices are remotely being updated by the vendor.

JSON version.

DIVD CSIRT

CVE-2024-21876

Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225

Description

Workaround(s)

Solution(s)