CVE-2019-7678

Vulnerability

A directory traversal vulnerability exists in Enphase Envoy firmware versions R3.*.*. The web server listening on TCP port 8888 fails to sanitize user-supplied paths when serving files from the images/, include/, include/js, or include/css directories. An attacker can inject ../ sequences to escape the intended directory and access arbitrary files on the device [1].

Exploitation

An unauthenticated attacker with network access to the Envoy device can exploit this by sending HTTP GET requests to the vulnerable endpoints with path traversal sequences. For example, requesting /images/../../etc/passwd would retrieve the system password file. No authentication or user interaction is required [1]. The attack is demonstrated in a proof-of-concept script and screenshot [1][2].

Impact

Successful exploitation allows an attacker to read any file on the device's filesystem that the web server process has access to. This can include sensitive configuration files, credentials, and other system data, leading to information disclosure and potential further compromise of the device [1].

Mitigation

As of the publication date, no official patch or workaround has been disclosed in the available references. Users should monitor Enphase for firmware updates and restrict network access to port 8888 to trusted hosts as a temporary measure [1][2].