Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225

Vulnerability

CVE-2024-21876 is a path traversal vulnerability in the Enphase IQ Gateway (formerly Envoy) embedded software, affecting versions from 4.x to 8.2.4224 [1]. The flaw exists due to improper limitation of a pathname to a restricted directory, exploitable via a URL parameter when the IQ Gateway is configured with a public IP address and connected to the public internet [1].

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by sending crafted HTTP requests containing path traversal sequences in a URL parameter [1]. The IQ Gateway must be exposed to the public internet (i.e., have a public IP assigned) and not be behind a typical router firewall, which is not its intended deployment configuration [1]. No authentication or user interaction is required [1].

Impact

Successful exploitation allows an unauthenticated, remote attacker to read or create arbitrary files on the device's filesystem [1]. This could lead to disclosure of sensitive configuration data, credential theft, or the ability to upload malicious files, potentially compromising the integrity and availability of the gateway [1].

Mitigation

Enphase released firmware version 8.2.4225 to fix this vulnerability [1]. Users should upgrade their IQ Gateway software to 8.2.4225 or later [1]. As a workaround, ensure the IQ Gateway is not directly exposed to the public internet and is placed behind a standard router, which is the recommended configuration for typical operation [1]. The vendor advisory does not list the CVE in the known exploited vulnerabilities catalog.