NVD Vulnerability Detail
Search Exploit, PoC
CVE-2020-27403
Summary

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure. Also, some TV models and/or FW versions may expose the webserver with the entire filesystem accessible on another port. For example, nmap scan for all ports run directly from the TV model U43P6046 (Android 8.0) showed port 7983 not mentioned in the original CVE description, but containing the same directory listing of the entire filesystem. This webserver is bound (at least) to localhost interface and accessible freely to all unprivileged installed apps on the Android such as a regular web browser. Any app can therefore read any files of any other apps including Android system settings including sensitive data such as saved passwords, private keys etc.

Publication Date Nov. 11, 2020, 3:15 a.m.
Registration Date Jan. 26, 2021, 11:56 a.m.
Last Update Nov. 21, 2024, 2:21 p.m.
CVSS3.1 : MEDIUM
スコア 6.5
Vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV) 隣接
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR) 不要
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C)
完全性への影響(I) なし
可用性への影響(A) なし
CVSS2.0 : LOW
Score 3.3
Vector AV:A/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV) 隣接
攻撃条件の複雑さ(AC)
攻撃前の認証要否(Au) 不要
機密性への影響(C)
完全性への影響(I) なし
可用性への影響(A) なし
Get all privileges. いいえ
Get user privileges いいえ
Get other privileges いいえ
User operation required いいえ
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:o:tcl:32s330_firmware:*:*:*:*:*:*:*:* v8-r851t10-lf1v091
execution environment
1 cpe:2.3:h:tcl:32s330:-:*:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:o:tcl:40s330_firmware:*:*:*:*:*:*:*:* v8-r851t10-lf1v091
execution environment
1 cpe:2.3:h:tcl:40s330:-:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:o:tcl:43s434_firmware:*:*:*:*:*:*:*:* v8-r851t02-lf1v440
execution environment
1 cpe:2.3:h:tcl:43s434:-:*:*:*:*:*:*:*
Configuration4 or higher or less more than less than
cpe:2.3:o:tcl:50s434_firmware:*:*:*:*:*:*:*:* v8-r851t02-lf1v440
execution environment
1 cpe:2.3:h:tcl:50s434:-:*:*:*:*:*:*:*
Configuration5 or higher or less more than less than
cpe:2.3:o:tcl:55s434_firmware:*:*:*:*:*:*:*:* v8-r851t02-lf1v440
execution environment
1 cpe:2.3:h:tcl:55s434:-:*:*:*:*:*:*:*
Configuration6 or higher or less more than less than
cpe:2.3:o:tcl:65s434_firmware:*:*:*:*:*:*:*:* v8-r851t02-lf1v440
execution environment
1 cpe:2.3:h:tcl:65s434:-:*:*:*:*:*:*:*
Configuration7 or higher or less more than less than
cpe:2.3:o:tcl:75s434_firmware:*:*:*:*:*:*:*:* v8-r851t02-lf1v440
execution environment
1 cpe:2.3:h:tcl:75s434:-:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
複数の TCL Android Smart TV 製品における脆弱性
Title 複数の TCL Android Smart TV 製品における脆弱性
Summary

複数の TCL Android Smart TV 製品には、不特定の脆弱性が存在します。

Possible impacts 情報を取得される可能性があります。
Solution

ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date Nov. 10, 2020, midnight
Registration Date July 8, 2021, 5:04 p.m.
Last Update July 8, 2021, 5:04 p.m.
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2021年07月08日]
  掲載		 July 8, 2021, 5:04 p.m.