CVE-2022-28377

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162 Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0

Description The issue concerns the use of a static account username and password for access control on the CRTC and ODU RPC endpoints. This password can be generated using a binary included in the firmware by obtaining the MAC address of the IDU's base Ethernet interface and modifying the /etc/device info file to include the string DEVICE MANUFACTURER='Wistron NeWeb Corp.'. The vulnerable endpoint is related to the file /etc/init.d/wnc factoryssidkeypwd on the IDU.

Recommendations For Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162, consider disabling access to the CRTC and ODU RPC endpoints until a patch is available. For Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0, restrict access to the ODU RPC endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the static account username and password for access control on the affected devices until the issue is resolved.