Security researchers recently discovered LG WebOS vulnerabilities, potentially exposing millions of LG smart TVs to exploitation. The vulnerabilities, ranging from bypassing authorization mechanisms to executing system commands, affect WebOS versions 4 through 7, which power a variety of LG television models.
According to Bitdefender researchers, these LG smart TV vulnerabilities enable unauthorized access to the root level of the TV’s operating system, even bypassing intended authorization protocols.
While the vulnerable service was initially designed for local network access, alarming discoveries by Shodan, an engine for scanning Internet-connected devices, revealed over 91,000 LG TVs with this service exposed to the broader Internet.
Understanding the LG WebOS Vulnerabilities
The LG WebOS vulnerabilities include CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320. All these vulnerabilities affect LG smart TV users with various escalation privileges attacks and injection methods.
The vulnerabilities are as follows:
Authorization Bypass (CVE-2023-6317)
This vulnerability allows attackers to bypass the authorization mechanism, effectively adding an extra user to the TV set. By manipulating certain variables, attackers can exploit this flaw and gain unauthorized access to the device.
Root Access Escalation (CVE-2023-6318)
Building upon the initial breach, attackers can elevate their access privileges to gain full control over the device, essentially taking over the entire system.
Operating System Command Injection (CVE-2023-6319)
Attackers can manipulate a library responsible for displaying music lyrics, enabling them to inject operating system commands into the system, potentially leading to further exploitation.
Authenticated Command Injection (CVE-2023-6320)
Through manipulation of specific API endpoints, attackers can inject authenticated commands, granting them significant control over the device’s functionalities.
These vulnerabilities affect various LG smart TV models running specific versions of WebOS, including the LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA.
Attackers Exploiting LG TV Vulnerabilities
The disclosure timeline reveals the urgency and complexity of addressing these issues. Bitdefender disclosed the vulnerabilities to LG in November 2023. Following confirmation by the vendor, a patch release was scheduled for March 2024. However, the vulnerabilities were made public in April 2024, highlighting the need for immediate action.
A closer examination of the vulnerabilities reveals the intricate methods employed by attackers to exploit LG Smart TVs. By exploiting flaws in account handling mechanisms and utilizing authenticated endpoints, attackers can elevate access through the system and execute commands with alarming ease.
The Cyber Express has contacted LG to learn more about these smart TV vulnerabilities and their implications. However, at the time of writing this, no official statement or response has been received.
LG Smart TV users are urged to update their devices promptly to the latest firmware versions provided by the vendor to mitigate the risks associated with these vulnerabilities.
Additionally, users are advised to exercise caution when connecting their Smart TVs to the Internet and to ensure proper network security measures are in place.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
