[Description]
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static
certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.)

[Additional Information]
This vulnerability has been patched on firmware 5.4.91.162 (IDU) and 5.33.141.0 (ODU). The firmware download location can be ascertained from the upgrade logs within a device.

[Vulnerability Type]
Use of Hard-coded Credentials

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.33.101.0 (ODU)
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.4.66.162 (IDU)

[Affected Component]
OutDoorUnit filesystem - 
   /etc/lighttpd.d/ca.pem 
   /etc/lighttpd.d/server.pem

[Impact]
Escalation of Privileges
Information Disclosure

[Attack Vectors]
To exploit this vulnerability, an attacker must download the firmware package for the device and extract its filesystem.

[Discoverers]
Matthew Lichtenberger, Shea Polansky