Bitdefender, a cybersecurity company known for its security products, has identified multiple security vulnerabilities in LG TV’s operating system, WebOS. The company’s research, which is part of a larger initiative to analyze the security of popular IoT devices, focused on WebOS versions 4 through 7.
tl;dr – We recommend anyone with a LG TV double check that their device is up to date and secure.
The identified vulnerabilities allow someone to root the LG TVs and gain full control over them. Specifically, Bitdefender discovered an issue that could enable an attacker to bypass authorization and add an extra user to the TV set by setting a variable (CVE-2023-6317). Another vulnerability could then allow an attacker to elevate their access to root and fully take over the device (CVE-2023-6318). A third vulnerability (CVE-2023-6319) was found that allows for operating system command injection by manipulating a library responsible for displaying music lyrics. Lastly, CVE-2023-6320 enables an attacker to inject authenticated commands by manipulating a specific API endpoint.
The vulnerabilities are present in various WebOS versions ranging from 4.9.7 to 7.3.1-43, across different TV models such as LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA. Bitdefender’s technical analysis indicated that the WebOS service running on ports 3000/3001, which is used by the LG ThinkQ smartphone app for TV control, contained a flaw in the account handler allowing attackers to create a privileged user profile without a PIN verification. This was the entry point for accessing a broader attack surface.
For the vulnerabilities leading to root access, Bitdefender outlined the method of exploiting the processAnalyticsReport method from the com.webos.service.cloudupload service and the getAudioMetadata method from the com.webos.service.attachedstoragemanager service. The exploitation involves bypassing restrictions and using internal requests similar to Server-Side Request Forgery (SSRF).
In addition to the above, the setVlanStaticAddress endpoint within the com.webos.service.connectionmanager was also found to be vulnerable, allowing the execution of commands as the dbus user, which has permissions similar to the root user.
For more information on these vulnerabilities and Bitdefender’s research, check out Bitdefender’s website here.