Security News > 2024 > April > LG smart TVs may be taken over by remote attackers

Bitdefender researchers have uncovered four vulnerabilities in webOS, the operating system running on LG smart TVs, which may offer attackers unrestricted access to the devices.

The number of potentially exploitable internet-connected devices is likely smaller, as LG has patched the vulnerabilities on March 22, 2023, and some of the users have either applied the updates or have set their TVs to perform updates automatically.

Gateway service running on webOS, which may allow attackers to create a privileged account without having to enter the security PIN and without any user interaction.

CVE-2023-6319 allows OS command injection and CVE-2023-6320 lets an attacker inject authenticated commands by manipulating a specific API endpoint and achieve command execution as the dbus user.

The vulnerabilities affect several webOS versions, running on various LG smart TVs:. webOS v4.9.7 to v5.30.40, running on LG43UM7000PLA webOS v4.50.51 to v5.5.0, running on OLED55CXPUA webOS v03.36.50 to v6.3.3-442, running on OLED48C1PUB webOS v3.33.85 to v7.3.1-43, running on OLED55A23LA. CVE-2023-6317 allows an attacker to bypass authentication to add themselves as a user, then escalate privileges to gain root access to the TV, and finally use command injection to potentially drop additional malware or attempt to move laterally across the smart home network to which the TV is connected.

Users are advised to update their LG smart TVs as soon as possible.

News URL

https://www.helpnetsecurity.com/2024/04/09/lg-smart-tvs-webos-vulnerabilities/