Lg web os vulnerabilities

Vulnerabilities Identified in LG WebOS


As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers vulnerabilities discovered while researching the LG WebOS TV operating system.
We have found several issues affecting WebOS versions 4 through 7 running on LG TVs. These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism. Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet.

Vulnerabilities at a glance

 
1. Bitdefender researchers discovered a vulnerability that lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7. By setting a variable, the attacker can add an extra user to the TV set (CVE-2023-6317)

2. Another vulnerability allows attackers to elevate the access they gained in the first step to root and fully take over the device (CVE-2023-6318)
  • A third vulnerability (CVE-2023-6319) allows operating system command injection by manipulating a library responsible with showing music lyrics.
  • The CVE-2023-6320 vulnerability lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.
 

3. Vulnerable OS versions

  • webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA
  • webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
  • webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB
  • webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
 

4. Disclosure timeline

  • November 01, 2023: Vendor disclosure
  • November 15, 2023: Vendor confirms the vulnerabilities.
  • December 14, 2023: Vendor requests extension
  • March 22, 2024: Patch release
  • April 09, 2024: Public release of this report
 

A technical look into the discovered vulnerabilities

 
WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen. An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.
Learn More