Shea Polansky

**Name of the Vulnerable Software and Affected Versions** Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162 **Description** The issue concerns the failure to validate user-provided URLs within the `crtcmode` function's `enable ssh` sub-operation of the `crtcrpc` JSON listener, located at `/lib/functions/wnc jsonsh/crtcmode.sh`. A remote attacker on the local network can exploit this by providing a malicious URL, and the data from that URL is written to `/usr/sbin/dropbear` and then executed as root. **Recommendations** For version 3.4.66.162, as a temporary workaround, consider disabling the `enable ssh` sub-operation of the `crtcmode` function until a patch is available. Restrict access to the `crtcrpc` JSON listener to minimize the risk of exploitation. Avoid using the `crtcmode.sh` script in the `/lib/functions/wnc jsonsh/` directory until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162 Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0 **Description** The CRTC and ODU RPC endpoints rely on a static certificate for access control, which is embedded in the firmware and identical across devices. An attacker can gain access by downloading the firmware and extracting the private components of the certificates from `/etc/lighttpd.d/ca.pem` and `/etc/lighttpd.d/server.pem`. The firmware download location is shown in a device's upgrade logs. **Recommendations** For Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162, consider disabling the CRTC and ODU RPC endpoints until a patch is available. For Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0, restrict access to the `/etc/lighttpd.d/ca.pem` and `/etc/lighttpd.d/server.pem` files to minimize the risk of exploitation. As a temporary workaround, avoid using the static certificate for access control until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162 **Description** The issue arises from improper sanitization of user-controlled parameters within the `crtcreadpartition` function of the `crtcrpc` JSON listener in `/usr/lib/lua/luci/crtc.lua`. This allows a remote attacker on the local network to inject shell metacharacters, achieving remote code execution as root. **Recommendations** For version 3.4.66.162, consider disabling the `crtcreadpartition` function until a patch is available to prevent remote code execution. Restrict access to the `/usr/lib/lua/luci/crtc.lua` file to minimize the risk of exploitation. Avoid using user-controlled parameters in the affected JSON listener until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0 **Description** The issue concerns the lack of proper sanitization of user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. This allows an authenticated remote attacker on the local network to inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/admin/settings.lua, achieving remote code execution as root. **Recommendations** For version 3.33.101.0, consider disabling access to the Settings page of the Engineering portal until a patch is available. Restrict access to the /usr/lib/lua/5.1/luci/controller/admin/settings.lua file to minimize the risk of exploitation. Avoid using user-controlled parameters within the DMACC URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.