CVE-2022-28375 in 5G Home LVSKIHP OutDoorUnit
Summary
by MITRE • 07/14/2022
Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the crtcswitchsimprofile function of the crtcrpc JSON listener. A remote attacker on the local network can inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/rpc.lua to achieve remote code execution as root,
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/31/2022
The vulnerability CVE-2022-28375 affects the Verizon 5G Home LVSKIHP Outdoor Unit firmware version 3.33.101.0, representing a critical security flaw in the device's JSON RPC listener implementation. This issue stems from inadequate input validation within the crtcswitchsimprofile function, which processes user-controlled parameters without proper sanitization. The flaw exists in the /usr/lib/lua/5.1/luci/controller/rpc.lua file, where shell metacharacters can be injected through improper parameter handling, creating a pathway for unauthorized remote code execution. The vulnerability specifically targets the device's web-based management interface, which operates on the local network, making it accessible to attackers within the same network segment.
The technical implementation of this vulnerability demonstrates a classic command injection flaw that aligns with CWE-77 and CWE-94, where user-supplied data is directly incorporated into shell commands without adequate validation or sanitization. The crtcswitchsimprofile function fails to properly filter or escape special characters that could be interpreted by the underlying shell, allowing attackers to execute arbitrary commands with the highest privilege level available. This occurs because the system does not implement proper input sanitization mechanisms before passing parameters to system-level functions that execute shell commands. The attack vector requires network proximity due to the local network access requirement, but once exploited, the attacker gains root-level privileges, effectively compromising the entire device.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides complete control over the 5G Home unit's functionality and potentially exposes the broader local network to further attacks. An attacker with access to the local network can execute commands as root, which may include modifying device configuration, installing malicious software, creating backdoors, or using the device as a pivot point to attack other networked systems. The device's role as a 5G gateway makes it particularly valuable as an attack platform, potentially enabling lateral movement within the network and providing access to sensitive data or services that rely on the device for connectivity. The vulnerability's presence in the RPC listener component suggests that legitimate administrative functions may also be affected, potentially disrupting device operations or providing additional attack surfaces.
Mitigation strategies for this vulnerability should focus on immediate firmware updates from Verizon, as the manufacturer has likely released patches addressing the input sanitization issues. Network segmentation and access control measures can help limit the attack surface by restricting local network access to trusted devices only. Implementing network monitoring solutions that can detect unusual command execution patterns or shell metacharacter injection attempts provides additional defense in depth. The device should be configured with the principle of least privilege, limiting the RPC interface's capabilities and ensuring that only necessary functions are exposed. Organizations should also consider implementing network access control lists to restrict which devices can communicate with the 5G Home unit and establish regular security assessments to identify similar vulnerabilities in other networked devices. This vulnerability highlights the importance of secure coding practices and input validation in embedded systems, particularly those with network interfaces and administrative capabilities, aligning with ATT&CK technique T1059.004 for command and scripting interpreter and T1068 for exploit for privilege escalation.