Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-28377 |
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. This password can be generated via a binary included in the firmware, after ascertaining the MAC address of the IDU's base Ethernet interface, and adding the string DEVICE_MANUFACTURER='Wistron_NeWeb_Corp.' to /etc/device_info to replicate the host environment. This occurs in /etc/init.d/wnc_factoryssidkeypwd (IDU). Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-28375 |
Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the crtcswitchsimprofile function of the crtcrpc JSON listener. A remote attacker on the local network can inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/rpc.lua to achieve remote code execution as root, Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-28374 |
Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. An authenticated remote attacker on the local network can inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/admin/settings.lua to achieve remote code execution as root. Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-28373 |
Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.lua. A remote attacker on the local network can inject shell metacharacters to achieve remote code execution as root. Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-28372 |
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtc_fw_upgrade or crtcfwimage. The URL provided is not validated, and thus allows for arbitrary file upload to the device. This occurs in /lib/lua/luci/crtc.lua (IDU) and /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh (ODU). Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-28371 |
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.) Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-28370 |
On Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 devices, the RPC endpoint crtc_fw_upgrade provides a means of provisioning a firmware update for the device. /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh has no cryptographic validation of the image, thus allowing an attacker to modify the installed firmware. Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-28369 |
Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root. Published: July 14, 2022; 9:15:08 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2013-5933 |
Stack-based buffer overflow in the sub_E110 function in init in a certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless allows local users to gain privileges or cause a denial of service (memory corruption) by writing a long string to the /dev/socket/init_runit socket that is inconsistent with a certain length value that was previously written to this socket. Published: September 25, 2013; 6:31:29 AM -0400 |
V3.x:(not available) V2.0: 6.9 MEDIUM |
CVE-2013-4777 |
A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object. Published: September 25, 2013; 6:31:29 AM -0400 |
V3.x:(not available) V2.0: 6.9 MEDIUM |
CVE-2006-1319 |
chpst in runit 1.3.3-1 for Debian GNU/Linux, when compiled on little endian i386 machines against dietlibc, does not properly handle when multiple groups are specified in the -u option, which causes chpst to assign permissions for the root group due to inconsistent bit sizes for the gid_t type. Published: March 20, 2006; 6:02:00 AM -0500 |
V3.x:(not available) V2.0: 6.2 MEDIUM |