CVE-2022-28371
Summary
| CVE | CVE-2022-28371 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-07-14 13:15:00 UTC |
| Updated | 2023-08-08 14:21:00 UTC |
| Description | On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.) |
Risk And Classification
Problem Types: CWE-798
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Verizon | Lvskihp Indoorunit | - | All | All | All |
| Operating System | Verizon | Lvskihp Indoorunit Firmware | 3.4.66.162 | All | All | All |
| Hardware | Verizon | Lvskihp Outdoorunit | - | All | All | All |
| Operating System | Verizon | Lvskihp Outdoorunit Firmware | 3.33.101.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Report Security Vulnerability | Verizon Wireless | MISC | www.verizon.com | |
| SecWriteups/readme.md at main · JousterL/SecWriteups · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.