#VU28535 Improper Neutralization of Special Elements in Output Used by a Downstream Component in LG Electronics products - CVE-2020-12753

Vulnerability identifier: #VU28535

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-12753

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Google Android
Operating systems & Components / Operating system
LG DH50
Mobile applications / Mobile firmware & hardware
LG DH5
Mobile applications / Mobile firmware & hardware
LG DH40
Mobile applications / Mobile firmware & hardware
LG DH35
Mobile applications / Mobile firmware & hardware
LG DH30
Mobile applications / Mobile firmware & hardware
LG DH15
Mobile applications / Mobile firmware & hardware
LG DH10
Mobile applications / Mobile firmware & hardware
LG Q70
Mobile applications / Mobile firmware & hardware
LG Q60
Mobile applications / Mobile firmware & hardware
LG K50
Mobile applications / Mobile firmware & hardware
LG K40
Mobile applications / Mobile firmware & hardware
LG K30
Mobile applications / Mobile firmware & hardware
LG K20
Mobile applications / Mobile firmware & hardware
LG CV7AS
Mobile applications / Mobile firmware & hardware
LG CV1S
Mobile applications / Mobile firmware & hardware
LG CV7
Mobile applications / Mobile firmware & hardware
LG CV5
Mobile applications / Mobile firmware & hardware
LG CV3
Mobile applications / Mobile firmware & hardware
LG CV1
Mobile applications / Mobile firmware & hardware
LG X cam
Mobile applications / Mobile firmware & hardware
LG X500
Mobile applications / Mobile firmware & hardware
LG X400
Mobile applications / Mobile firmware & hardware
LG X300
Mobile applications / Mobile firmware & hardware
LG Q8
Mobile applications / Mobile firmware & hardware
LG Q6
Mobile applications / Mobile firmware & hardware
LG V60
Mobile applications / Mobile firmware & hardware
LG V50
Mobile applications / Mobile firmware & hardware
LG V40
Mobile applications / Mobile firmware & hardware
LG V35
Mobile applications / Mobile firmware & hardware
LG V30
Mobile applications / Mobile firmware & hardware
LG V20
Mobile applications / Mobile firmware & hardware
LG G8
Mobile applications / Mobile firmware & hardware
LG G7
Mobile applications / Mobile firmware & hardware
LG G6
Mobile applications / Mobile firmware & hardware

Vendor: Google
LG Electronics

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to improper validation of input in the bootloader. A remote attacker can execute arbitrary code on the system.

Note: The LG ID is LVE-SMP-200006

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Google Android: 7.2, 8.0 - 8.1, 9.0, 10

LG DH50: All versions

LG DH5: All versions

LG DH40: All versions

LG DH35: All versions

LG DH30: All versions

LG DH15: All versions

LG DH10: All versions

LG Q70: All versions

LG Q60: All versions

LG K50: All versions

LG K40: All versions

LG K30: All versions

LG K20: All versions

LG CV7AS: All versions

LG CV1S: All versions

LG CV7: All versions

LG CV5: All versions

LG CV3: All versions

LG CV1: All versions

LG X cam: All versions

LG X500: All versions

LG X400: All versions

LG X300: All versions

LG Q8: All versions

LG Q6: All versions

LG V60: All versions

LG V50: All versions

LG V40: All versions

LG V35: All versions

LG V30: All versions

LG V20: All versions

LG G8: All versions

LG G7: All versions

LG G6: All versions

---

External links
https://lgsecurity.lge.com/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.