Bitdefender researchers have uncovered four vulnerabilities in webOS, the operating system running on LG smart TVs, which may offer attackers unrestricted (root) access to the devices.
“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” the researchers pointed out.
The number of potentially exploitable internet-connected devices is likely smaller, as LG has patched the vulnerabilities on March 22, 2023, and some of the users have either applied the updates or have set their TVs to perform updates automatically.
The vulnerabilities
CVE-2023-6317 is a prompt bypass in the secondscreen.gateway service running on webOS, which may allow attackers to create a privileged account without having to enter the security PIN and without any user interaction.
CVE-2023-6318 is a command injection vulnerability that can be triggered with a series of authentication requests and can lead to command execution as the root user.
CVE-2023-6319 allows OS command injection and CVE-2023-6320 lets an attacker inject authenticated commands by manipulating a specific API endpoint and achieve command execution as the (highly privileged) dbus user.
The vulnerabilities affect several webOS versions, running on various LG smart TVs:
CVE-2023-6317 allows an attacker to bypass authentication to add themselves as a user, then escalate privileges (CVE-2023-6318) to gain root access to the TV, and finally use command injection (CVE-2023-6319, CVE-2023-6320) to potentially drop additional malware (e.g., to rope the device into a DDoS botnet) or attempt to move laterally across the smart home network to which the TV is connected.
Users are advised to update their LG smart TVs as soon as possible (if they haven’t already).