CVE-2020-9759: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in LG Electronic webOS TV Emulator (CVE-2020-9759) was discovered that could allow an attacker to escalate privileges and overwrite certain files. The vulnerability was identified due to incorrect environment settings and could be exploited through crafted configuration files and executable files (MITRE CVE, NVD).

The vulnerability exists in the Luna Service API's Downloadmanager component, which runs as root. The issue stems from a security bypass in the luna-send-pub tool, which identifies itself as 'com.webos.lunasendpub' when communicating with the Luna Service API. This identification allows it to pass privileged caller checks, enabling unprivileged users to download arbitrary files to any writable part of the filesystem as the root user. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Recurity Labs).

The vulnerability allows attackers to download arbitrary files to any writable location on the filesystem with root privileges. This can be leveraged to achieve local privilege escalation by overwriting configuration files and executing arbitrary commands as root. The impact is particularly severe as it provides a path to full system compromise (Recurity Labs).

LG claimed they would fix the issue "within a week" on January 26, 2021, after the initial report on October 5, 2020. However, according to security researchers, the root cause may not have been fully remediated in the webOS Open Source Edition (OSE). No official patches or workarounds have been publicly documented (Recurity Labs).