CVE-2024-21878

Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x

CVE

CVE-2024-21878

Title

Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x

Case

DIVD-2024-00011

Credits

Wietse Boonstra of DIVD (finder)
Hidde Smit of DIVD (finder)
Frank Breedijk of DIVD (analyst)
Max van der Horst of DIVD (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Enphase Envoy	>= 8.x to < 8.2.4225 (semver)
	= 7.x (semver)
	= 6.x (semver)
	= 5.x (semver)
	= 4.x (semver)
	everything else

CVSS

Scenario 1 : GENERAL

Base score	7.1 - HIGH
Attack Vector	LOCAL
Attack Complexity>	HIGH
Attack Requirements	NONE
Privileges Required	HIGH
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Availability Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Safety impact	PRESENT
Automatable	YES
Recovery	IRRECOVERABLE
Value Density	CONCENTRATED
Vulnerability Response effort	HIGH
Provider Urgency	NOT_DEFINED

Scenario 2 : Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878

Base score	9.2 - CRITICAL
Attack Vector	NETWORK
Attack Complexity>	HIGH
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Availability Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Safety impact	PRESENT
Automatable	YES
Recovery	IRRECOVERABLE
Value Density	CONCENTRATED
Vulnerability Response effort	HIGH
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2024-21878 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2024-00011 ( related )
https://enphase.com/cybersecurity/advisories/ensa-2024-3 ( vendor-advisory )

Problem type(s)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Impact(s)

CAPEC-88 OS Command Injection

Date published

10 Aug 2024 17:00 UTC

Last modified

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.

This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.

Workaround(s)

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.
This will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced.

Solution(s)

Devices are remotely being updated by the vendor.

JSON version.

DIVD CSIRT

CVE-2024-21878

Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x

Description

Workaround(s)

Solution(s)