Researchers Uncover LG Sensible TV Vulnerabilities Permitting Root Entry

Apr 09, 2024NewsroomVulnerability / IoT Safety

A number of safety vulnerabilities have been disclosed in LG webOS operating on its sensible televisions that could possibly be exploited to bypass authorization and achieve root entry on the gadgets.

The findings come from Romanian cybersecurity agency Bitdefender, which found and reported the issues in November 2023. The problems have been mounted by LG as a part of updates launched on March 22, 2024.

The vulnerabilities are tracked from CVE-2023-6317 by way of CVE-2023-6320 and influence the next variations of webOS –

• webOS 4.9.7 – 5.30.40 operating on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 operating on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 operating on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 operating on OLED55A23LA

A short description of the shortcomings is as follows –

• CVE-2023-6317 – A vulnerability that enables an attacker to bypass PIN verification and add a privileged person profile to the TV set with out requiring person interplay

• CVE-2023-6318 – A vulnerability that enables the attacker to raise their privileges and achieve root entry to take management of the system

• CVE-2023-6319 – A vulnerability that enables working system command injection by manipulating a library named asm accountable for displaying music lyrics

• CVE-2023-6320 – A vulnerability that enables for the injection of authenticated instructions by manipulating the com.webos.service.connectionmanager/television/setVlanStaticAddress API endpoint

Profitable exploitation of the issues might permit a menace actor to realize elevated permissions to the system, which, in flip, may be chained with CVE-2023-6318 and CVE-2023-6319 to acquire root entry, or with CVE-2023-6320 to run arbitrary instructions because the dbus person.

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” Bitdefender stated. A majority of the gadgets are situated in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.