[Description]
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device
via crtc_fw_upgrade or crtcfwimage functions. The URL provided is not validated, and thus allows for arbitrary file upload to the device. This occurs in /lib/lua/luci/crtc.lua (IDU) and /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh (ODU).

[Additional Information]
This vulnerability has been patched on firmware 5.4.91.162 (IDU) and 5.33.141.0 (ODU). The vulnerable endpoint requires the use of a set of certificates that is embedded in the firmware provisioned to all devices in the fleet (see CVE-2022-28371 for details).

[Vulnerability Type]
Download of Code Without Integrity Check

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.33.101.0 (ODU)
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.4.66.162 (IDU)

[Affected Component]
Line 55 of OutDoorUnit file /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh: 
   curl -o /reserved/firmware.img $URL
Line 315 of InDoorUnit file /lib/lua/luci/crtc.lua: 
   system.fork_exec("lua /usr/share/rpc/rpc_cli.lua crtc_fw_upgrade %s" %{para1})

[Attack Type]
Remote

[Impact]
Code Execution
Denial of Service

[Attack Vectors]
An attacker must invoke the ODU endpoint "crtc_fw_upgrade" or the IDU endpoint "crtcfwimage" with a maliciously provided package.

[Discoverers]
Matthew Lichtenberger, Shea Polansky

------------------------------------------