Remote code execution in LG mobile devices with Android OS
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU28535
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-12753
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to improper validation of input in the bootloader. A remote attacker can execute arbitrary code on the system.
Note: The LG ID is LVE-SMP-200006
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Android: 7.2 - 10
LG DH50: All versions
LG DH5: All versions
LG DH40: All versions
LG DH35: All versions
LG DH30: All versions
LG DH15: All versions
LG DH10: All versions
LG Q70: All versions
LG Q60: All versions
LG K50: All versions
LG K40: All versions
LG K30: All versions
LG K20: All versions
LG CV7AS: All versions
LG CV1S: All versions
LG CV7: All versions
LG CV5: All versions
LG CV3: All versions
LG CV1: All versions
LG X cam: All versions
LG X500: All versions
LG X400: All versions
LG X300: All versions
LG Q8: All versions
LG Q6: All versions
LG V60: All versions
LG V50: All versions
LG V40: All versions
LG V35: All versions
LG V30: All versions
LG V20: All versions
LG G8: All versions
LG G7: All versions
LG G6: All versions
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
