April 9, 2024 at 02:09PM
Multiple bugs in LG’s WebOS on smart TVs permit attackers to gain root access and control the device. Bitdefender Labs identified four vulnerabilities, affecting WebOS versions 4-7, with CVSS ratings of up to 9.1. These flaws enable account creation and command execution, a PIN/prompt bypass, and manipulation of the music-lyrics library. LG released patches on March 22.
Key Takeaways from Meeting Notes:
1. Vulnerabilities in LG smart TVs running WebOS allow attackers to bypass authorization and gain root access on the device.
2. Once an attacker has gained root access, they can carry out various malicious activities including moving laterally through the home network, dropping malware, using the device as part of a botnet, and spying on users.
3. Bitdefender Labs researcher Alexandru Lazăr discovered four vulnerabilities affecting WebOS versions 4 through 7, exposing over 91,000 devices to the internet.
4. The four vulnerabilities are identified as CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320, with critical command injection flaws and high CVSS ratings.
5. Exploiting CVE-2023-6317 is necessary to abuse the command injection flaws, allowing attackers to create an account with elevated privileges and bypass PIN verification.
6. Lazar reported the flaws to LG on November 1, 2023, and LG issued patches on March 22, so it’s crucial for users to check for and apply the WebOS update immediately.
These takeaways provide a clear understanding of the security vulnerabilities in LG smart TVs running WebOS and the necessary actions to mitigate the risks.