CVE-2024-21881

Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x

CVE

CVE-2024-21881

Title

Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x

Case

DIVD-2024-00011

Credits

Wietse Boonstra of DIVD (finder)
Hidde Smit of DIVD (finder)
Frank Breedijk of DIVD (analyst)
Max van der Horst of DIVD (analyst)

Affected products

Product	Affected	Unaffected
Enphase Envoy	= 5.x (semver)
	= 4.x (semver)
		everything else

CVSS

Base score	8.6 - HIGH
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	HIGH
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Availability Impact
Vulnerable system	HIGH	Subsequent systems	LOW
Safety impact	PRESENT
Automatable	YES
Recovery	IRRECOVERABLE
Value Density	CONCENTRATED
Vulnerability Response effort	HIGH
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2024-21881 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2024-00011 ( related )
https://enphase.com/cybersecurity/advisories/ensa-2024-6 ( vendor-advisory )

Problem type(s)

CWE-326 Inadequate Encryption Strength

Impact(s)

CAPEC-88 OS Command Injection

Date published

10 Aug 2024 17:00 UTC

Last modified

Description

Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.

This issue affects Envoy: 4.x and 5.x

Workaround(s)

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

Solution(s)

Devices are remotely being updated by the vendor.

JSON version.

DIVD CSIRT

CVE-2024-21881

Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x

Description

Workaround(s)

Solution(s)