CVE-2024-21878

Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.

Remediation

Solution:

Devices are remotely being updated by the vendor.

Workaround:

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network. This will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced.

References

Link	Tags
https://csirt.divd.nl/CVE-2024-21878	third party advisory
https://csirt.divd.nl/DIVD-2024-00011	third party advisory related
https://enphase.com/cybersecurity/advisories/ensa-2024-3	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-21878?: CVE-2024-21878 has been scored as a critical severity vulnerability.
How to fix CVE-2024-21878?: To fix CVE-2024-21878: Devices are remotely being updated by the vendor.
Is CVE-2024-21878 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-21878 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-21878?: CVE-2024-21878 affects Enphase Envoy.

Description

Remediation

Categories

CWE-77 – Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions