CVE-2022-28369 - OpenCVE

Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Verizon	Lvskihp Indoorunit Firmware Lvskihp Indoorunit

Configuration 1 [-]

AND

cpe:2.3:o:verizon:lvskihp_indoorunit_firmware:3.4.66.162:*:*:*:*:*:*:*

cpe:2.3:h:verizon:lvskihp_indoorunit:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md	Exploit Third Party Advisory
https://www.verizon.com/info/reportsecurityvulnerability/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-14T12:29:24

Updated: 2022-07-14T12:29:24

Reserved: 2022-04-03T00:00:00

Link: CVE-2022-28369

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-14T13:15:08.153

Modified: 2022-07-21T02:03:04.973

Link: CVE-2022-28369

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-14T12:29:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.verizon.com/info/reportsecurityvulnerability/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-28369", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.verizon.com/info/reportsecurityvulnerability/", "refsource": "MISC", "url": "https://www.verizon.com/info/reportsecurityvulnerability/"}, {"name": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md", "refsource": "MISC", "url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-28369", "datePublished": "2022-07-14T12:29:24", "dateReserved": "2022-04-03T00:00:00", "dateUpdated": "2022-07-14T12:29:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verizon:lvskihp_indoorunit_firmware:3.4.66.162:*:*:*:*:*:*:*", "matchCriteriaId": "D9D9319E-5FB5-442A-89B0-3559210B7250", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verizon:lvskihp_indoorunit:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A0557F4-75F3-4DF4-8F95-CC9F9239D243", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. The data (found at that URL) is written to /usr/sbin/dropbear and then executed as root."}, {"lang": "es", "value": "Verizon 5G Home LVSKIHP InDoorUnit (IDU) versi\u00f3n 3.4.66.162, no comprueba la URL proporcionada por el usuario en la sub operaci\u00f3n enable_ssh de la funci\u00f3n crtcmode del listener JSON de crtcrpc (que es encontrada en /lib/functions/wnc_jsonsh/crtcmode.sh) Un atacante remoto en la red local puede proporcionar una URL maliciosa. Los datos (encontrados en esa URL) son escritos en /usr/sbin/dropbear y luego son ejecutados como root"}], "id": "CVE-2022-28369", "lastModified": "2022-07-21T02:03:04.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-14T13:15:08.153", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.verizon.com/info/reportsecurityvulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}