Multiple security flaws have been discovered in LG webOS. In reality, it runs on its smart televisions. Later on,  that may be exploited to circumvent authentication and get root access to the devices.

The compromised service is only meant for local area network access. Shodan, a search engine for Internet-connected devices. It discovered over 91,000 devices that disclose this service to the Internet," the researchers stated.

The findings came from Bitdefender. It is famous as a Romanian cybersecurity business. It identified and disclosed the problems in November 2023. LG resolved the vulnerabilities as part of updates provided on March 22, 2024.

The number of potentially susceptible internet-enabled gadgets is likely fewer. It is because LG addressed the flaws on March 22, 2023. In the meantime, some of the consumers have either applied the updates or programmed their TVs to run upgrades.

The vulnerabilities have been identified from CVE-2023-6317 to CVE-2023-6320. It also affects multiple versions of webOS. The following is a list of the significant vulnerabilities and their possible impact on WebOS versions.

Vulnerabilities

A quick overview of the limitations is provided below:

• CVE-2023-6317 - 

CVE-2023-6317 refers to an alert bypass in the second screen.gateway service. It runs on webOS and allows attackers to create privileged accounts. This issue also allows hijackers to circumvent PIN verification.

They can also create an exclusive user profile for the TV device. They do not need to input their security PIN.  They can achieve this without the need for user engagement.

• CVE-2023-6318 -

A flaw that enables the attacker to escalate their privileges. In addition, gaining root access allows you to take charge of the device. It is also known as a command insertion flaw.

It is simple to trigger with a sequence of authentication requests. Later on, it may lead to command execution as the main user.

• CVE-2023-6319 - 

It enables operating system command injection. This requires the manipulation of a special library known as asm. It was solely responsible for displaying song lyrics.

The noteworthy part is that it allows you to execute commands as the (very privileged) dbus user.

• CVE-2023-6320 -

A bug that enables the insertion of authorized instructions. To do so successfully, it must alter the API endpoint "com.webos.service.connectionmanager/tv/setVlanStaticAddress."

Impacts

• webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kiss curl-kinglake) - 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Effective abuse of the weaknesses may allow a threat actor to achieve elevated device rights. After some time, it may be combined with CVE-2023-6318 and CVE-2023-6319 to gain root access. Additionally, it will be advantageous for it to execute random commands as the dbus user.