It's been revealed that more than 91,000 LG smart TVs can be accessed by vulnerabilities that allow attackers to bypass authorisation and control the affected TV.
Researchers at Bitdefender discovered the four vulnerabilities, which affect WebOS versions 4 - 7:
- CVE-2023-6317 lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7, set a variable and add an extra user to the TV.
- CVE-2023-6318 lets attackers elevate the access they gained in the first step (above) to root and fully take over the TV.
- CVE-2023-6319 manipulates a library responsible with showing music lyrics and allows operating system command injection.
- CVE-2023-6320 manipulates the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint and lets an attacker inject authenticated commands.
The last three of the above all have a "critical" CVSS of 9.1.
Vulnerable OS versions: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
Bitdefender reported the flaws to LG on November 1, 2023, and asked for an extension in mid-December, 2023, to fix them. The electronics giant released patches on March 22, 2024. It's recommended that you apply the WebOS patch asap.
The full findings can be found in THIS Bitdefender blog post.