Multiple security vulnerabilities have been revealed in webOS running on LG smart TVs, which can be used to bypass authorization and gain root access to the device.
The findings come from Romanian cybersecurity company Bitdefender, which discovered and reported the flaws in November 2023. LG fixed these issues in an update released on March 22, 2024.
These vulnerabilities are tracked from CVE-2023-6317 to CVE-2023-6320 and affect the following webOS versions –
- webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
- webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA
Its shortcomings are briefly described as follows –
- CVE-2023-6317 – This vulnerability allows an attacker to bypass PIN verification and add a privileged user profile to the TV without user interaction
- CVE-2023-6318 – This vulnerability allows an attacker to escalate privileges and gain root access to control the device
- CVE-2023-6319 – A vulnerability that allows the injection of operating system commands by manipulating a library called asm responsible for displaying music lyrics
- CVE-2023-6320 – A vulnerability that allows injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint
Successful exploitation of these flaws could allow a threat actor to gain elevated privileges over a device, which in turn could be linked to CVE-2023-6318 and CVE-2023-6319 to gain root access, or to CVE-2023-6320 Execute arbitrary commands as the dbus user.
Bitdefender said: “Although the vulnerable service is only for LAN access, Shodan, a search engine for Internet-connected devices, found more than 91,000 devices exposing this service to the Internet.” Most of the devices are located in South Korea, Hong Kong, the United States, Sweden , Finland and Latvia.
