A number of safety vulnerabilities have been disclosed in LG webOS working on its good televisions that might be exploited to bypass authorization and achieve root entry on the units.
The findings come from Romanian cybersecurity agency Bitdefender, which found and reported the issues in November 2023. The problems had been mounted by LG as a part of updates launched on March 22, 2024.
The vulnerabilities are tracked from CVE-2023-6317 by means of CVE-2023-6320 and influence the next variations of webOS –
- webOS 4.9.7 – 5.30.40 working on LG43UM7000PLA
- webOS 5.5.0 – 04.50.51 working on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 working on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 working on OLED55A23LA
A quick description of the shortcomings is as follows –
- CVE-2023-6317 – A vulnerability that enables an attacker to bypass PIN verification and add a privileged person profile to the TV set with out requiring person interplay
- CVE-2023-6318 – A vulnerability that enables the attacker to raise their privileges and achieve root entry to take management of the gadget
- CVE-2023-6319 – A vulnerability that enables working system command injection by manipulating a library named asm answerable for displaying music lyrics
- CVE-2023-6320 – A vulnerability that enables for the injection of authenticated instructions by manipulating the com.webos.service.connectionmanager/television/setVlanStaticAddress API endpoint
Profitable exploitation of the issues may enable a risk actor to achieve elevated permissions to the gadget, which, in flip, will be chained with CVE-2023-6318 and CVE-2023-6319 to acquire root entry, or with CVE-2023-6320 to run arbitrary instructions because the dbus person.
“Though the susceptible service is meant for LAN entry solely, Shodan, the search engine for Web-connected units, recognized over 91,000 units that expose this service to the Web,” Bitdefender mentioned. A majority of the units are situated in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.
