Lucene search

[email protected]CVE-2020-28055

HistoryNov 10, 2020 - 6:15 p.m.

CVE-2020-28055

2020-11-1018:15:12

CWE-732

[email protected]

web.nvd.nist.gov

tcl

android

smart tv

vulnerability

cve-2020-28055

security

local attacker

file system

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.2%

JSON

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. An attacker, such as a malicious APK or local unprivileged user could perform fake system upgrades by writing to the /data/vendor/upgrage folder.

Affected configurations

NVD

Node

tcl32s330Match-

AND

tcl32s330_firmwareRange<v8-r851t10-lf1v091

Node

tcl40s330Match-

AND

tcl40s330_firmwareRange<v8-r851t10-lf1v091

Node

tcl43s434Match-

AND

tcl43s434_firmwareRange<v8-r851t02-lf1v440

Node

tcl50s434Match-

AND

tcl50s434_firmwareRange<v8-r851t02-lf1v440

Node

tcl55s434Match-

AND

tcl55s434_firmwareRange<v8-r851t02-lf1v440

Node

tcl65s434Match-

AND

tcl65s434_firmwareRange<v8-r851t02-lf1v440

Node

tcl75s434Match-

AND

tcl75s434_firmwareRange<v8-r851t02-lf1v440

CPENameOperatorVersion
tcl:32s330_firmwaretcl 32s330 firmwareltv8-r851t10-lf1v091

CPE	Name	Operator	Version
tcl:32s330_firmware	tcl 32s330 firmware	lt	v8-r851t10-lf1v091

References

github.com/sickcodes/security/blob/master/advisories/SICK-2020-012.md

github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_GlobalFAQ.pdf

github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_Press-Statement-and-Questions_11162020.pdf

securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/

securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/

sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/

sick.codes/sick-2020-012

support.tcl.com/vulnerabilities-found-in-tcl-android-tvs

twitter.com/johnjhacking/

twitter.com/sickcodes/

Social References

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.2%

JSON

Related for CVE-2020-28055

prion1 cvelist1 nvd1