[Description]
Verizon 5G Home LVSKIHP OutDoorUnit (ODU 3.33.101.0 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), generating a SHA256 hash, and then extracting the first seven characters concatenated with the last seven characters.

[Additional Information]
This vulnerability has been patched on firmware 5.33.141.0.

[Vulnerability Type]
Use of Hard-coded Credentials

[Vendor of Product]
Verizon / Wistron Neweb Corporation

[Affected Product Code Base]
Verizon 5G Home Internet Modem/Router LVSKIHP - 3.33.101.0 (ODU)

[Affected Component]
Lines 9-27 of OutDoorUnit file /etc/initscripts/wnc_keygen: 
wnc_create_engineer_pwd() {
    SN_VALIDATION=`grep "serial_number" /factory/mm_default | sed 's/^.* \"//g' | sed 's/\".*$//g'`
    [ -n "$SN_VALIDATION" ] && {
        [ ! -f /usr/bin/sha256sum ] && {
            echo "wnc_factoryssidkeypwd: /usr/bin/sha256sum is not existed"
            exit 1
        }
        model=`grep "model" /factory/mm_default | sed 's/^.* \"//g' | sed 's/\".*$//g'`
        [ ! -n "$model" ] && {
            model="LVSKIHP"
        }
        snmodel_sha256=`echo -n $SN_VALIDATION$model | sha256sum`
        snmodel_first7char=`echo $snmodel_sha256 | cut -c1-7`
        snmodel_last7char=`echo $snmodel_sha256 | cut -c58-64`
        pwd=$snmodel_first7char$snmodel_last7char
        load_user_passwd "1" "verizon" "adm" "/bin/false" "$pwd"
        load_user_shadow "1" "verizon" "$pwd"
    }
}

[Attack Type]
Remote

[Impact]
Escalation of Privileges
Information Disclosure

[Attack Vectors]
To exploit the vulnerability, a user must identify the serial number of a device.

[Discoverers]
Matthew Lichtenberger, Shea Polansky