7.5

CVE-2022-28371

Exploit

EPSS 0.21%
Veröffentlicht 14.07.2022 13:15:08
Zuletzt bearbeitet 21.11.2024 06:57:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.)

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Verizon ≫ Lvskihp Indoorunit Firmware Version3.4.66.162

Verizon ≫ Lvskihp Indoorunit Version-

Verizon ≫ Lvskihp Outdoorunit Firmware Version3.33.101.0

Verizon ≫ Lvskihp Outdoorunit Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.433

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md

Third Party Advisory

Exploit

https://www.verizon.com/info/reportsecurityvulnerability/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-28371

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28371

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28371

EUVD