CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.1 | $0-$5k | 0.00 |
A vulnerability has been found in LG PC Suite up to 5.3.25.20150529 on Windows and classified as critical. Affected by this vulnerability is an unknown code of the component Updater. The manipulation with an unknown input leads to a missing encryption vulnerability. The CWE definition for the vulnerability is CWE-311. The product does not encrypt sensitive or critical information before storage or transmission. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was released 10/11/2016 with Blue Frost Security Research Lab as BFS-SA-2016-004 as not defined mailinglist post (Full-Disclosure). It is possible to read the advisory at seclists.org. The public release was coordinated with LG. The attack can be launched remotely. A single authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 05/07/2019). The attack technique deployed by this issue is T1600 according to MITRE ATT&CK. The advisory points out:
The LG PC Suite update mechanism is vulnerable to a man-in-the-middle attack. Through the manipulation of files transmitted over HTTP an attacker can force the execution of arbitrary code on the target system. Code is executed with the privileges of the currently logged on user.
The mailinglist post contains the following remark:
LG will not provide software updates to address the issue because the LG PC Suite reached the end of its product life cycle.
Additional details are provided at labs.bluefrostsecurity.de.
Product
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.1
VulDB Base Score: 6.3
VulDB Temp Score: 6.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Missing encryptionCWE: CWE-311 / CWE-310
ATT&CK: T1600
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
10/11/2016 🔍10/12/2016 🔍
05/07/2019 🔍
Sources
Advisory: BFS-SA-2016-004Organization: Blue Frost Security Research Lab
Status: Not defined
Coordinated: 🔍
Misc.: 🔍
Entry
Created: 10/12/2016 10:18Updated: 05/07/2019 18:10
Changes: 10/12/2016 10:18 (45), 05/07/2019 18:10 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.