LGInstallService - Deletion of arbitrary files with system privilege
CVE-2023-44128

5MEDIUM

Key Information:

Vendor: Lg Electronics
Status: Lg V60 Thin Q 5g(lmv600vm)
Vendor: CVE Published:; 27 September 2023

🔔 Create Lg Electronics Vulnerability Alert

What is CVE-2023-44128?

he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.

Affected Version(s)

LG V60 Thin Q 5G(LMV600VM) Android 4 <= 13

References

https://lgsecurity.lge.com/bulletins/mobile#updateDetails

vendor-advisory

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Sep 26, 2023