Login Sign Up

CVE-2020-28055

7.8 HIGH

📋 TL;DR

This vulnerability allows local unprivileged attackers, such as malicious apps or users, to read and write to critical directories in TCL Android Smart TV file systems. Attackers can perform fake system upgrades by writing to the /data/vendor/upgrade folder. Affected are TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below.

💻 Affected Systems

Products:
  • TCL Android Smart TV series V8-R851T02-LF1
  • TCL Android Smart TV series V8-T658T01-LF1
Versions: V8-R851T02-LF1 V295 and below, V8-T658T01-LF1 V373 and below
Operating Systems: Android TV OS
Default Config Vulnerable: ⚠️ Yes
Notes: All affected TVs with default configurations are vulnerable. Requires local access or malicious app installation.

📦 What is this software?

32s330 Firmware by Tcl

View all CVEs affecting 32s330 Firmware →

40s330 Firmware by Tcl

View all CVEs affecting 40s330 Firmware →

43s434 Firmware by Tcl

View all CVEs affecting 43s434 Firmware →

50s434 Firmware by Tcl

View all CVEs affecting 50s434 Firmware →

55s434 Firmware by Tcl

View all CVEs affecting 55s434 Firmware →

65s434 Firmware by Tcl

View all CVEs affecting 65s434 Firmware →

75s434 Firmware by Tcl

View all CVEs affecting 75s434 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete TV compromise allowing installation of persistent malware, firmware modification, data theft, and potential lateral movement to other devices on the network.

🟠

Likely Case

Malicious apps gaining elevated privileges, installing unauthorized software, modifying system files, and potentially bricking the TV.

🟢

If Mitigated

Limited to app sandbox escape but no further system compromise if proper directory permissions are enforced.

🌐 Internet-Facing: LOW - Requires local access or malicious app installation, not directly exploitable over internet.
🏢 Internal Only: HIGH - Local attackers or malicious apps can exploit this to gain elevated system access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access or malicious app installation. Public details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions above V295 for V8-R851T02-LF1 and above V373 for V8-T658T01-LF1

Vendor Advisory: https://github.com/sickcodes/security/blob/master/etc/CVE-2020-27403_CVE-2020-28055_Press-Statement-and-Questions_11162020.pdf

Restart Required: Yes

Instructions:

1. Check current TV firmware version in Settings > About. 2. If vulnerable, enable automatic updates in Settings > System > Update. 3. Manually check for updates and install if available. 4. Restart TV after update completes.

🔧 Temporary Workarounds

Disable Unknown Sources

android

Prevents installation of malicious APKs that could exploit this vulnerability

Settings > Security > Unknown Sources (set to OFF)

Restrict App Permissions

android

Review and restrict permissions for installed apps, especially file system access

Settings > Apps > [App Name] > Permissions

🧯 If You Can't Patch

  • Disconnect TV from network when not in use to prevent remote app installation
  • Only install apps from official Google Play Store, avoid sideloading APKs

🔍 How to Verify

Check if Vulnerable:

Check TV firmware version in Settings > About > Build number. If version is V295 or below for V8-R851T02-LF1 series, or V373 or below for V8-T658T01-LF1 series, the device is vulnerable.

Check Version:

Settings > About > Build number

Verify Fix Applied:

After update, verify firmware version is above V295 for V8-R851T02-LF1 or above V373 for V8-T658T01-LF1. Test with security scanning tools if available.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file access to /data/vendor/tcl, /data/vendor/upgrade, /var/TerminalManager
  • Unexpected system upgrade processes
  • Permission denied errors for system directories

Network Indicators:

  • Unusual outbound connections from TV to unknown servers
  • Unexpected network traffic during system updates

SIEM Query:

source="tv_logs" AND (path="/data/vendor/tcl/*" OR path="/data/vendor/upgrade/*" OR path="/var/TerminalManager/*") AND user!="system"

📊 Metadata

CVE ID: CVE-2020-28055
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: November 10, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28055, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)