ENSA-2024-6

Cybersecurity

ENSA-2024-6: Upload of Encrypted Packages Allows Authenticated Command Execution in ţţ�㷨 IQ Gateway (IQ Gateway 4.x.x and 5.x.x)

Advisory ID:
ENSA-2024-6

CVSSv3:
8.6

Issue date:
2024-08-10

Updated on:
2024-08-10 (initial advisory)

CVE(s):
CVE-2024-21881

Synopsis:
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in ţţ�㷨 IQ Gateway allows OS Command Injection. This issue affects IQ Gateway versions 4.x.x and 5.x.x.

1. Impacted product

ţţ�㷨 IQ Gateway 4.x.x and 5.x.x.

2. Introduction

Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.

3. Summary

Description:
ţţ�㷨 IQ Gateway 4.x.x and 5.x.x have inadequate encryption strength allowing an authenticated attacker to execute arbitrary OS commands via encrypted package upload when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Resolution:
Upgrading the ţţ�㷨 IQ Gateway embedded software to 8.2.4225 or newer.

Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.

Additional documentation:
None.

Acknowledgments:
ţţ�㷨 would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.

Notes:
None.

4. References

ţţ�㷨 IQ Gateway software release notes (8.2.4225)

5. Change log

2024-08-10 ENSA-2024-6: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
ţţ�㷨 security advisories
ţţ�㷨 vulnerability reporting
ţţ�㷨 documentation center