Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:268DADB26FF24612D4E89CF50625568D
HistoryApr 09, 2024 - 1:05 p.m.

Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access

2024-04-0913:05:00
The Hacker News
thehackernews.com
20
lg smart tv
vulnerabilities
root access
security flaws
webos
cve-2023-6317
cve-2023-6318
cve-2023-6319
cve-2023-6320
bitdefender
shodan
internet-connected devices

8.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

LG Smart TV Vulnerabilities

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices.

The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and impact the following versions of webOS -

  • webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA
  • webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
  • webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB
  • webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Cybersecurity

A brief description of the shortcomings is as follows -

  • CVE-2023-6317 - A vulnerability that allows an attacker to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction
  • CVE-2023-6318 - A vulnerability that allows the attacker to elevate their privileges and gain root access to take control of the device
  • CVE-2023-6319 - A vulnerability that allows operating system command injection by manipulating a library named asm that’s responsible for showing music lyrics
  • CVE-2023-6320 - A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

Successful exploitation of the flaws could allow a threat actor to gain elevated permissions to the device, which, in turn, can be chained with CVE-2023-6318 and CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary commands as the dbus user.

LG Smart TV Vulnerabilities

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” Bitdefender said. A majority of the devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related

cvelist 4
nvd 4
vulnrichment 1
cve 4
cvelist
cvelist
CVE-2023-6317 PIN/prompt bypass on the secondscreen.gateway service allows access to the SSAP API without user interaction
2024-04-09 13:41:34
CVE-2023-6320 Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint
2024-04-09 13:43:35
CVE-2023-6319 Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service
2024-04-09 13:42:06
nvd
nvd
CVE-2023-6319
2024-04-09 14:15:08
CVE-2023-6320
2024-04-09 14:15:08
CVE-2023-6317
2024-04-09 14:15:07
vulnrichment
vulnrichment
CVE-2023-6320 Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint
2024-04-09 13:43:35
cve
cve
CVE-2023-6317
2024-04-09 14:15:07
CVE-2023-6319
2024-04-09 14:15:08
CVE-2023-6320
2024-04-09 14:15:08

8.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON
Related for THN:268DADB26FF24612D4E89CF50625568D
cvelist4nvd4vulnrichment1cve4