[Description]
Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the crtcswitchsimprofile function of the crtcrpc JSON listener. A remote attacker on the local network can inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/rpc.lua to achieve remote code execution as root.

[Additional Information]
This vulnerability has been patched on firmware 5.33.141.0. This vulnerable endpoint requires the use of a set of certificates that is embedded in the firmware provisioned to all devices in the fleet (see CVE-2022-28371 for details).

[Vulnerability Type]
Shell Metacharacter Injection

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.33.101.0 (ODU)

[Affected Component]
Line 781 of OutDoorUnit file /usr/lib/lua/5.1/luci/controller/rpc.lua: 
   fork_exec(simswitch.sh %s % {para1})

[Attack Type]
Remote

[Impact]
Code Execution
Denial of Service
Escalation of Privileges
Information Disclosure

[Attack Vectors]
To exploit the vulnerability, a user must send a specially crafted request to a JSONRPC endpoint

[Discoverers]
Matthew Lichtenberger, Shea Polansky