Details of VAR-202106-0266

ID

VAR-202106-0266

CVE

CVE-2020-25752

TITLE

Enphase Envoy Vulnerability in Using Hard Coded Credentials

Trust: 0.8

sources: JVNDB: JVNDB-2021-008348

DESCRIPTION

An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. The serial number can be retrieved by an unauthenticated user at /info.xml. These passwords can be easily calculated by an attacker; users are unable to change these passwords. Enphase Envoy Is vulnerable to the use of hard-coded credentials.Information may be obtained. Enphase Energy Envoy is a gateway device used to connect smart home devices from Enphase Energy in the United States. Enphase Energy Envoy has a trust management vulnerability

Trust: 2.16

sources: NVD: CVE-2020-25752 // JVNDB: JVNDB-2021-008348 // CNVD: CNVD-2021-45765

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-45765

AFFECTED PRODUCTS

vendor:	enphase	model:	envoy	scope:	eq	version:	r3.0	Trust: 1.0
vendor:	enphase	model:	envoy	scope:	eq	version:	d4.0	Trust: 1.0
vendor:	enphase energy	model:	envoy	scope:	eq	version:	r3.x	Trust: 0.8
vendor:	enphase energy	model:	envoy	scope:	eq	version:	-	Trust: 0.8
vendor:	enphase energy	model:	envoy	scope:	eq	version:	d4.x	Trust: 0.8
vendor:	enphase	model:	energy envoy r3.*	scope:	-	version:	-	Trust: 0.6
vendor:	enphase	model:	energy envoy d4.*	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-45765 // JVNDB: JVNDB-2021-008348 // NVD: CVE-2020-25752

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25752
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-25752
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-45765
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-1345
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-25752
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-45765
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-25752
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2020-25752
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-45765 // JVNDB: JVNDB-2021-008348 // CNNVD: CNNVD-202106-1345 // NVD: CVE-2020-25752

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Using hardcoded credentials (CWE-798) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-008348 // NVD: CVE-2020-25752

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1345

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202106-1345

PATCH

title:	Communication	url:	https://enphase.com/en-us/products-and-services/envoy-and-combiner	Trust: 0.8
title:	Patch for Enphase Energy Envoy trust management issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/276106	Trust: 0.6
title:	Enphase Envoy Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155301	Trust: 0.6

sources: CNVD: CNVD-2021-45765 // JVNDB: JVNDB-2021-008348 // CNNVD: CNNVD-202106-1345

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25752	Trust: 3.8
db:	JVNDB	id:	JVNDB-2021-008348	Trust: 0.8
db:	CNVD	id:	CNVD-2021-45765	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-1345	Trust: 0.6

sources: CNVD: CNVD-2021-45765 // JVNDB: JVNDB-2021-008348 // CNNVD: CNNVD-202106-1345 // NVD: CVE-2020-25752

REFERENCES

url:	https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a	Trust: 2.4
url:	https://stage2sec.com	Trust: 1.6
url:	https://enphase.com/en-us/products-and-services/envoy-and-combiner	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25752	Trust: 1.4

sources: CNVD: CNVD-2021-45765 // JVNDB: JVNDB-2021-008348 // CNNVD: CNNVD-202106-1345 // NVD: CVE-2020-25752

SOURCES

db:	CNVD	id:	CNVD-2021-45765
db:	JVNDB	id:	JVNDB-2021-008348
db:	CNNVD	id:	CNNVD-202106-1345
db:	NVD	id:	CVE-2020-25752

LAST UPDATE DATE

2024-08-14T14:31:43.269000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-45765	date:	2021-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-008348	date:	2022-03-14T07:16:00
db:	CNNVD	id:	CNNVD-202106-1345	date:	2021-06-28T00:00:00
db:	NVD	id:	CVE-2020-25752	date:	2021-06-24T12:08:21.947

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-45765	date:	2021-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-008348	date:	2022-03-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-1345	date:	2021-06-16T00:00:00
db:	NVD	id:	CVE-2020-25752	date:	2021-06-16T19:15:17.470