Advisory ID:
ENSA-2024-1
CVSSv3:
9.3
Issue date:
2024-08-10
Updated on:
2024-08-10 (initial advisory)
CVE(s):
CVE-2024-21876
Synopsis:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in ţţ㷨 IQ Gateway allows an unauthenticated attacker to access or create arbitrary files. This issue affects IQ Gateway version 4.x through 8.2.4224.
1. Impacted product
ţţ㷨 IQ Gateway 4.x through 8.2.4224
2. Introduction
Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.
3. Summary
Description:
ţţ㷨 IQ Gateway 4.x through 8.2.4224 allows an unauthenticated attacker to access or create arbitrary files when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.
Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.
Resolution:
Upgrading the ţţ㷨 IQ Gateway embedded software to 8.2.4225 or newer.
Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.
Additional documentation:
None.
Acknowledgments:
ţţ㷨 would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.
Notes:
None.
4. References
ţţ㷨 IQ Gateway software release notes (8.2.4225)
5. Change log
2024-08-10 ENSA-2024-1: Initial security advisory.
6. Contact and information
cybersecurity@enphase.com
ţţ㷨 security advisories
ţţ㷨 vulnerability reporting
ţţ㷨 documentation center