CVE-2022-28370

Published: Jul 14, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

On Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 devices, the RPC endpoint crtc_fw_upgrade provides a means of provisioning a firmware update for the device. /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh has no cryptographic validation of the image, thus allowing an attacker to modify the installed firmware.

Affected (1)

Products: Verizon: Lvskihp Outdoorunit Firmware

1 product

Lvskihp Outdoorunit Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Verizon Lvskihp Outdoorunit Firmware	Version 3.33.101.0

Running on/with	Platform Versions
Verizon Lvskihp Outdoorunit	All versions

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (4)

https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.verizon.com/info/reportsecurityvulnerability/

Source: cve@mitre.org

Vendor Advisory

https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.verizon.com/info/reportsecurityvulnerability/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.