CVE-2022-28370

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0

Description The issue affects the RPC endpoint "crtc fw upgrade" which is used for provisioning firmware updates. The script /lib/functions/wnc jsonsh/wnc crtc fw.sh lacks cryptographic validation of the image, allowing an attacker to modify the installed firmware. This could potentially lead to unauthorized changes to the device's firmware.

Recommendations For version 3.33.101.0, as a temporary workaround, consider disabling the "crtc fw upgrade" RPC endpoint until a patch is available. Restrict access to the /lib/functions/wnc jsonsh/wnc crtc fw.sh script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.