CISA: Enphase ignores reports about vulnerabilities in Envoy

[Gandalf_The_Grey]

Content source

https://www.security.nl/posting/800380/CISA%3A+Enphase+negeert+meldingen+over+kwetsbaarheden+in+Envoy

(Translated from Dutch with DeepL):

Enphase Energy, manufacturer of microinverters, energy monitoring and energy storage systems, has ignored notifications about several vulnerabilities in its products, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) claims. Through the security holes, caused in part by a hard-coded password, an attacker can steal sensitive information.

The problems occur with the Enphase Envoy, a solution that measures power production from solar panels. Enphase Envoy version D7.0.88 and earlier are vulnerable to command injection, which allows an attacker to execute commands with root privileges. In addition, the Enphase Installer Toolkit for Android, version 3.27.0 and earlier, contains a hard-coded password.

With the toolkit, it is possible to install the Envoy. Through the hardcoded password, an attacker can steal sensitive data, CISA said. The impact of this vulnerability was rated 8.6 on a scale of 1 to 10. Command injection received an impact score of 6.3.

CISA informed Enphase of the vulnerabilities, but the company would not cooperate in fixing the problems, the U.S. government agency said. A new version of the Android app has since been released, but whether it is no longer vulnerable is unknown. On Enphase's forum, users have since also asked questions, but no answers have yet been given.

CISA: Enphase negeert meldingen over kwetsbaarheden in Envoy - Security.NL

www.security.nl

Enphase Envoy | CISA

www.cisa.gov

Enphase Installer Toolkit Android App | CISA

www.cisa.gov

 

[Gandalf_The_Grey]

Now posted by SecurityWeek:

Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws

CISA warned of remotely exploitable vulnerabilities in Enphase Energy products (CVE-2023-32274 and CVE-2023-33869)

www.securityweek.com

SecurityWeek has contacted Enphase for comment and will update this story if a response is received.

 

[Gandalf_The_Grey]

Now posted by SecurityWeek:

Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws

CISA warned of remotely exploitable vulnerabilities in Enphase Energy products (CVE-2023-32274 and CVE-2023-33869)

www.securityweek.com

Update: After SecurityWeek published this story and contacted Enphase for comment, the company responded late Wednesday afternoon to say it has now been in touch with CISA.

“Enphase Energy is in direct contact with CISA and committed to quickly addressing any potential vulnerabilities,” a company spokesperson told SecurityWeek. “Enphase maintains a strong focus on cybersecurity to protect our customers in an increasingly interconnected, data-driven, and modern energy landscape. With positive customer experience at the center, we aim to create and provide high-quality products and services that meet the highest security standards”

And on the CISA pages:

Enphase Energy is currently developing mitigations. An advisory update will be issued when they are ready.