CVE-2022-28372

On Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 and OutDoorUnit ODU 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtcfwupgrade or crtcfwimage. The URL provided is not validated, and thus allows for arbitrary file uplo...

CVE-2022-28371

On Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 and OutDoorUnit ODU 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download...

CVE-2022-28373

Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.lua. A remote attacker on the local network can inject shell metacharacters to achieve remote code...

CVE-2022-28377

On Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 and OutDoorUnit ODU 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. This password can be generated via a binary included in the firmware, after ascertaining the MAC address of th...

CVE-2022-28369

CVE-2022-28369 affects Verizon 5G Home LVSKIHP InDoorUnit (IDU) firmware 3.4.66.162. The crtcmode.sh crtcrpc JSON listener’s enable_ssh sub-operation does not validate a user-supplied URL, enabling a local-network attacker to supply a malicious URL. Data from that URL is written to /usr/sbin/drop...

CVE-2022-28377

Affected: Verizon 5G Home LVSKIHP IDU 3.4.66.162 and ODU 3.33.101.0. Root cause: CRTC/ODU RPC endpoints rely on a static account username/password for access control, and the password can be generated via a firmware binary after determining the IDU’s base Ethernet MAC and setting DEVICE_MANUFACTU...