ENSA-2024-4

Cybersecurity

ENSA-2024-4: URL Parameter Manipulations Allow An Authenticated Attacker To Execute (IQ Gateway 4.x through 8.2.4224)

Advisory ID:
ENSA-2024-4

CVSSv3:
8.7

Issue date:
2024-08-10

Updated on:
2024-08-10 (initial advisory)

CVE(s):
CVE-2024-21879

Synopsis:
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through a url parameter of an authenticated enpoint in ţţ�㷨 IQ Gateway allows OS Command Injection. This issue affects IQ Gateway version 4.x through 8.2.4224.

1. Impacted product

ţţ�㷨 IQ Gateway 4.x through 8.2.4224

2. Introduction

Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.

3. Summary

Description:
ţţ�㷨 IQ Gateway 4.x through 8.2.4224 allows OS command injection via a command injection opportunity, when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Resolution:
Upgrading the ţţ�㷨 IQ Gateway embedded software to 8.2.4225 or newer.

Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.

Additional documentation:
None.

Acknowledgments:
ţţ�㷨 would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.

Notes:
None.

4. References

ţţ�㷨 IQ Gateway software release notes (8.2.4225)

5. Change log

2024-08-10 ENSA-2024-4: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
ţţ�㷨 security advisories
ţţ�㷨 vulnerability reporting
ţţ�㷨 documentation center