CVE-2020-28055

CVSS V2 High 7.2 CVSS V3 High 7.8
Description
A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. An attacker, such as a malicious APK or local unprivileged user could perform fake system upgrades by writing to the /data/vendor/upgrage folder.
Overview
  • CVE ID
  • CVE-2020-28055
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2020-11-10T18:15:12
  • Last Modified Date
  • 2020-12-08T18:38:29
Weakness Enumerations
CWE URL
CWE-732 http://cwe.mitre.org/data/definitions/732.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:o:tcl:32s330_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t10-lf1v091
cpe:2.3:h:tcl:32s330:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:40s330_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t10-lf1v091
cpe:2.3:h:tcl:40s330:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:43s434_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t02-lf1v440
cpe:2.3:h:tcl:43s434:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:50s434_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t02-lf1v440
cpe:2.3:h:tcl:50s434:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:55s434_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t02-lf1v440
cpe:2.3:h:tcl:55s434:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:65s434_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t02-lf1v440
cpe:2.3:h:tcl:65s434:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:tcl:75s434_firmware:*:*:*:*:*:*:*:* 1 OR v8-r851t02-lf1v440
cpe:2.3:h:tcl:75s434:-:*:*:*:*:*:*:* 0 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:L/AC:L/Au:N/C:C/I:C/A:C
  • Access Vector
  • LOCAL
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • COMPLETE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 7.2
  • Severity
  • HIGH
  • Exploitability Score
  • 3.9
  • Impact Score
  • 10
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • LOCAL
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 7.8
  • Base Severity
  • HIGH
  • Exploitability Score
  • 1.8
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://twitter.com/sickcodes/ Third Party Advisory
https://twitter.com/johnjhacking/ Third Party Advisory
https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/ Exploit Third Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-012.md Exploit Third Party Advisory
https://sick.codes/sick-2020-012 Exploit Third Party Advisory
https://securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/ Third Party Advisory
https://securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/ Third Party Advisory
https://github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_Press-Statement-and-Questions_11162020.pdf Third Party Advisory
https://support.tcl.com/vulnerabilities-found-in-tcl-android-tvs Vendor Advisory
https://github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_GlobalFAQ.pdf Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2020-28055
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28055
History
Created Old Value New Value Data Type Notes
2022-05-10 07:30:57 Added to TrackCVE
2022-12-05 16:24:04 2020-11-10T18:15Z 2020-11-10T18:15:12 CVE Published Date updated
2022-12-05 16:24:04 2020-12-08T18:38:29 CVE Modified Date updated
2022-12-05 16:24:04 Analyzed Vulnerability Status updated