Vulnerabilities identified in LG WebOS

No comments

https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos

Vulnerabilities at a glance

  • Bitdefender researchers discovered a vulnerability that lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7. By setting a variable, the attacker can add an extra user to the TV set (CVE-2023-6317)
  • Another vulnerability allows attackers to elevate the access they gained in the first step to root and fully take over the device (CVE-2023-6318)
  • A third vulnerability (CVE-2023-6319) allows operating system command injection by manipulating a library responsible with showing music lyrics.
  • The CVE-2023-6320 vulnerability lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.

Vulnerable OS versions

  • webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
  • webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
  • webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
  • webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

Disclosure timeline

  • November 01, 2023: Vendor disclosure
  • November 15, 2023: Vendor confirms the vulnerabilities.
  • December 14, 2023: Vendor requests extension
  • March 22, 2024: Patch release
  • April 09, 2024: Public release of this report

Leave a Reply

Your email address will not be published. Required fields are marked *