First published: Wed Sep 27 2023(Updated: )
he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
Credit: product.security@lge.com product.security@lge.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google Android | >=4.0<=13.0 | |
Lg V60 Thin Q 5g |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-44128 is a vulnerability that allows an attacker to delete arbitrary files in the LGInstallService app.
Google Android versions 4.0 to 13.0 and LG V60 Thin Q 5g are affected by CVE-2023-44128.
CVE-2023-44128 has a severity rating of medium (3.6).
An attacker can exploit CVE-2023-44128 by leveraging the exported "com.lge.lginstallservies.InstallService" service in the LGInstallService app to delete arbitrary files.
It is recommended to update to the latest version of Google Android or LG V60 Thin Q 5g to mitigate CVE-2023-44128.