bitdefender announced that last October it identified 4 vulnerabilities, 1 high severity and 3 critical severityin the operating system WebOS that televisions use LG. The security software company, which develops the popular antivirus of the same name, notified the manufacturer on November 1 and After five months of waiting and once LG has released security patches to solve them, it has made them public.
“We have found several problems that affect WebOS versions 4 to 7 that run on LG TVs. These vulnerabilities allow us get root access on the TV after bypassing the authorization mechanism,” Bitdefender noted on its blog. The so-called root access is also known as superuser access, the highest level of privilege that can be obtained in an operating system. A user with root access has full control over the system and can perform any action.
The least serious security hole, CVE-2023-6317rated high, allows an attacker to bypass the WebOS authorization mechanism and add an extra user to the affected television.
CVE-2023-6318critical, authorizes the attacker who has taken advantage of the previous elevate the access obtained to root and thus take complete control of the television.
The third vulnerability, CVE-2023-6319allows the operating system command injection through a library responsible for displaying music lyrics. It is also rated as critical.
Finally, CVE-2023-6320criticism, leaves an attacker inject authenticated commands manipulating the API endpoint. In this case, com.webos.service.connectionmanager/tv/setVlanStaticAddress. It is a specific access point in an application programming interface, API, that allows you to interact with a web service or application to perform certain actions or access certain resources.
It must be taken into account that the problem here is not only having a compromised television, but also that being able to take complete control of an attacker could jump from this to other devices connected on the same Wi-Fi network.
Bitdefender has verified the vulnerabilities, with different versions of WebOS, on a limited range of LG TVs, but here the key factor is the operating system and not the television model. They are the following:
- webOS 4.9.7 – 5.30.40 running on model LG43UM7000PLA.
- webOS 5.5.0 – 04.50.51 running on OLED55CXPUA.
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB.
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 on model OLED55A23LA.
If you have an LG TV that uses some of the affected WebOS versions, you should update from the operating system Settings menu to resolve these vulnerabilities.
Update 11/4:
LG has sent LA RAZÓN the following statement about the vulnerabilities discovered:
“Our webOS operating system is, since its inception, one of the most secure on the entire market. All applications to download or develop for LG televisions are managed directly from our own servers, located in Korea, to avoid any type of risk and instantly eliminate possible viruses or malware.
LG is a reference brand in the television market, creator and world leader in OLED technology. For this reason, on many occasions our devices are examined by third parties for issues such as cybersecurity. In the case of the published analysis, carried out in a controlled manner from a specific WiFi network, it should be noted that possible incidents were detected only in four models of our televisions and that it was not possible to access any other device connected to a different network. Despite this being a specific situation, as soon as we became aware of it we immediately activated the corresponding security protocols – both internal and external – and in March we released a patch to correct it. The security and privacy of our customers' data are a top priority for LG, which always works to avoid, control and resolve any possible situation of vulnerability as soon as possible.”