CVE-2020-28055
First published: Tue Nov 10 2020(Updated: )
A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. An attacker, such as a malicious APK or local unprivileged user could perform fake system upgrades by writing to the /data/vendor/upgrage folder.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tcl 32s330 Firmware | <v8-r851t10-lf1v091 | |
| Tcl 32s330 | ||
| Tcl 40s330 Firmware | <v8-r851t10-lf1v091 | |
| Tcl 40s330 | ||
| Tcl 43s434 Firmware | <v8-r851t02-lf1v440 | |
| Tcl 43s434 | ||
| Tcl 50s434 Firmware | <v8-r851t02-lf1v440 | |
| Tcl 50s434 | ||
| Tcl 55s434 Firmware | <v8-r851t02-lf1v440 | |
| Tcl 55s434 | ||
| Tcl 65s434 Firmware | <v8-r851t02-lf1v440 | |
| Tcl 65s434 | ||
| Tcl 75s434 Firmware | <v8-r851t02-lf1v440 | |
| Tcl 75s434 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-012.md
- https://github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_GlobalFAQ.pdf
- https://github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_Press-Statement-and-Questions_11162020.pdf
- https://securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/
- https://securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/
- https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/
- https://sick.codes/sick-2020-012
- https://support.tcl.com/vulnerabilities-found-in-tcl-android-tvs
- https://twitter.com/johnjhacking/
- https://twitter.com/sickcodes/
Frequently Asked Questions
What is the severity of CVE-2020-28055?
CVE-2020-28055 is considered a high-severity vulnerability affecting certain TCL Android Smart TV models.
How do I fix CVE-2020-28055?
To fix CVE-2020-28055, update the affected TCL Android Smart TV firmware to version V8-R851T10-LF1V091 or later.
Which TCL Android Smart TV models are affected by CVE-2020-28055?
TCL Android Smart TV models V8-R851T02-LF1 V295 and below, and V8-T658T01-LF1 V373 and below are affected by CVE-2020-28055.
What are the potential risks associated with CVE-2020-28055?
If exploited, CVE-2020-28055 allows local unprivileged attackers to read and write to sensitive system directories.
Is my TCL Android Smart TV vulnerable if it has been updated?
If your TCL Android Smart TV has been updated to firmware versions greater than V8-R851T10-LF1V091 or V8-T658T01-LF1 V373, it is not vulnerable to CVE-2020-28055.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/tcl
- canonical/tcl 32s330 firmware
- canonical/tcl 32s330
- canonical/tcl 40s330 firmware
- canonical/tcl 40s330
- canonical/tcl 43s434 firmware
- canonical/tcl 43s434
- canonical/tcl 50s434 firmware
- canonical/tcl 50s434
- canonical/tcl 55s434 firmware
- canonical/tcl 55s434
- canonical/tcl 65s434 firmware
- canonical/tcl 65s434
- canonical/tcl 75s434 firmware
- canonical/tcl 75s434