Static Account Credentials Vulnerability in Verizon 5G Home LVSKIHP InDoorUnit (IDU) and OutDoorUnit (ODU) Devices

Static Account Credentials Vulnerability in Verizon 5G Home LVSKIHP InDoorUnit (IDU) and OutDoorUnit (ODU) Devices

CVE-2022-28377 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. This password can be generated via a binary included in the firmware, after ascertaining the MAC address of the IDU's base Ethernet interface, and adding the string DEVICE_MANUFACTURER='Wistron_NeWeb_Corp.' to /etc/device_info to replicate the host environment. This occurs in /etc/init.d/wnc_factoryssidkeypwd (IDU).

Learn more about our Web App Pen Testing.