Romanian cybersecurity company Bitdefender has disclosed the discovery of several critical security vulnerabilities in the LG webOS software running on smart televisions. These vulnerabilities, if exploited, could enable attackers to bypass authorization and gain root-level access to the affected devices.
The findings, reported in November 2023, were addressed by LG through updates released on March 22, 2024. The vulnerabilities tracked as CVE-2023-6317 through CVE-2023-6320, impact various versions of webOS ranging from 4.9.7 to 7.3.1-43, running on LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA models.
Vulnerabilities Uncovered
The vulnerabilities discovered include:
CVE-2023-6317: A flaw that allows an attacker to bypass PIN verification and add a privileged user profile without user interaction.
CVE-2023-6318: A vulnerability that enables privilege escalation and full root access to the device.
CVE-2023-6319: A vulnerability that permits operating system command injection by manipulating the asm library responsible for displaying music lyrics.
CVE-2023-6320: A vulnerability that allows the injection of authenticated commands by exploiting the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.
Potential Impact and Exploitation
Successful exploitation of these flaws could grant threat actors elevated permissions on the affected devices, which could then be chained with CVE-2023-6318 and CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to execute arbitrary commands as the dbus user.
According to Bitdefender, over 91,000 devices exposing the vulnerable service were identified by the Shodan search engine for internet-connected devices. The majority of these devices are located in South Korea, Hong Kong, the United States, Sweden, Finland, and Latvia.