Numerous security vulnerabilities have been found in LG webOS running on its smart TVs that could be exploited to bypass authorization and gain root access on the devices.
The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.
The vulnerabilities are tracked from CVE-2023-6317 to CVE-2023-6320 and impact the following webOS versions:
- webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
- webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA
A brief description of the shortcomings is as follows:
- CVE-2023-6317 – A vulnerability that allows an attacker to bypass PIN verification and add a privileged user profile to the TV without requiring user interaction
- CVE-2023-6318 – A vulnerability that allows the attacker to elevate their privileges and gain root access to take control of the device
- CVE-2023-6319 – A vulnerability that allows injection of operating system commands by manipulating a library called asm responsible for displaying musical lyrics
- CVE-2023-6320 – A vulnerability allows authenticated command injection by manipulating the API endpoint com.webos.service.connectionmanager/tv/setVlanStaticAddress
Successful exploitation of the flaws could allow the threat actor to gain elevated permissions for the device, which, in turn, can be chained with CVE-2023-6318 and CVE-2023-6319 to gain root access or with CVE -2023-6320 to execute arbitrary commands as a dbus user.
“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, has identified over 91,000 devices that expose this service to the Internet,” Bitdefender said. Most of the devices are located in South Korea, Hong Kong, the United States, Sweden, Finland and Latvia.