CVE-2022-28372 in 5G Home LVSKIHP InDoorUnitinfo

Summary

by MITRE • 07/14/2022

On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtc_fw_upgrade or crtcfwimage. The URL provided is not validated, and thus allows for arbitrary file upload to the device. This occurs in /lib/lua/luci/crtc.lua (IDU) and /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh (ODU).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/31/2022

The vulnerability described in CVE-2022-28372 affects Verizon 5G Home networking equipment including both IndoorUnit (IDU) and OutDoorUnit (ODU) devices running specific firmware versions. This issue represents a critical security flaw in the remote provisioning mechanisms used for firmware updates, where the system fails to properly validate input parameters during the firmware upgrade process. The vulnerability exists within the Communication Regulatory Compliance Tool (CRTC) interfaces that are designed to manage firmware updates for these 5G home devices.

The technical flaw manifests through improper validation of URLs provided to the firmware upgrade endpoints. When administrators or authorized users attempt to provision firmware updates through the crtc_fw_upgrade or crtcfwimage RPC endpoints, the system accepts any URL without validating its legitimacy or ensuring it points to a trusted source. This lack of validation creates an arbitrary file upload vulnerability that allows attackers to specify any file location and content during the firmware update process. The vulnerability is particularly concerning because it affects the core update mechanisms that should be secured against unauthorized modifications.

The operational impact of this vulnerability is severe as it provides an attack vector for remote code execution and system compromise. An attacker who can access the RPC endpoints could potentially upload malicious firmware images or arbitrary files to the device, leading to complete system compromise. This vulnerability affects both IDU and ODU components, meaning that the entire 5G home network infrastructure could be compromised. The affected code locations in /lib/lua/luci/crtc.lua for IDU and /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh for ODU indicate that the vulnerability exists in the scripting layers responsible for firmware management and provisioning.

This vulnerability maps directly to CWE-434 which describes "Unrestricted Upload of File with Dangerous Type" and represents a classic case of insufficient input validation in network management interfaces. The ATT&CK framework would classify this under T1059.007 for Command and Scripting Interpreter and potentially T1547.001 for Registry Run Keys / Startup Folder, as the arbitrary file upload could be used to establish persistent access or execute malicious payloads. The vulnerability demonstrates a critical failure in the principle of least privilege and input sanitization that should be enforced in all network management interfaces. Organizations should immediately implement network segmentation to isolate these devices and ensure that only authorized personnel can access the provisioning endpoints. A comprehensive security assessment should include verification that all firmware update mechanisms properly validate URLs and implement proper access controls to prevent unauthorized firmware modifications. The vulnerability highlights the importance of securing remote management interfaces and implementing robust input validation across all firmware update processes.

Reservation

04/03/2022

Disclosure

07/14/2022

Moderation

accepted

CPE

ready

EPSS

0.00707

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!