CVE-2023-44128Time-of-check Time-of-use (TOCTOU) Race Condition in Electronics LG V60 Thin Q 5G

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition2 documents2 sources
Severity
3.6LOWNVD
EPSS
0.0%
top 94.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LG Electronics LG V60 Thin Q 5GGoogle Android
Timeline
PublishedSep 27

Description

he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:LExploitability: 1.0 | Impact: 2.5

Affected Packages2 packages

NVDgoogle/android4.013.0
CVEListV5lg_electronics/lg_v60_thin_q_5gAndroid 413

🔴Vulnerability Details

1
GHSA
GHSA-vrvp-9jr4-5gp9: he vulnerability is to delete arbitrary files in LGInstallService ("com2023-09-27