Microsoft
Adobe
Autodesk
Cloud
Bitdefender is the most trusted and leading cybersecurity software provider. It’s also considered as the inventor of the world’s first smart home cybersecurity hub. Bitdefender responsibly audits popular IoT hardware regularly to check for possible vulnerabilities. This particular research paper, as part of a much broader program, is intended to investigate thoroughly the security of the world’s best cybersecurity software in the IoT space. As per reports, multiple vulnerabilities are found in the LG WebOS TV operating system.
The security issues affect WebOS from version 4 to version 7 of the LG smart televisions. The vulnerabilities could lead to hackers gaining root access to the TVs illegally, bypassing the authorization verification system. Bitdefender, the Romanian cybersecurity company, discovered these flaws and reported them last November. The vulnerable service is meant to allow LAN access. However, as per the findings on the search engine Shodan, more than 91,000 devices exposed this vulnerable service to the internet.
These are the infected OS versions:
webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA.
webOS 5.5.0 – 04.50.51 running on OLED55CXPUA.
webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB.
webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA.
The shortcomings are explained below:
CVE-2023-6317: This vulnerability allows hackers to bypass the PIN verification and add a privileged user profile to the user’s TV set without the need for user interaction.
CVE-2023-6318- this vulnerability allows the cyber hacker to upgrade his privilege and gain root access. This is how they take complete control of the user’s device.
CVE-2023-6319—This vulnerability gives the OS the power to inject commands. This method manipulates asm, a library that displays music lyrics.
CVE-2023-6320- it allows manipulation of com.webos.service.connectinmanager/tv/setVlanStaticAddress API endpoint for injecting authenticated commands.
Disclosure timelines of the vulnerabilities are mentioned below:
November 01, 2023- Vendor disclosure date.
November 15, 2023- When the vendor confirmed the vulnerabilities.
December 14, 2024- when the vendor requested an extension.
March 22, 2024- Patch release date.
April 09, 2024- A Public release has been made on this date.
A technical look into the discovered vulnerabilities
WebOS runs service on ports 3000/3001 (HTTP/HTTPS/WSS). It is then used by the smartphone app LG ThinkQ. The app allows users to control the TV. Users need to create a PIN code and enter it on the TV screen first to initiate the app’s setup. If there is an error in the account handler, a potential attack can escape the PIN verification process to create a privileged user profile.
The function responsible for handling account registration requests is designed to use a variable named skipPrompt. skipPrompt automatically sets to true whenever the client-key or the companion-client-key parameters match an existing profile. This variable also decides what permissions are required when determining if the system should prompt the user for a PIN because sometimes the system does not demand confirmation.
Attackers can create an account without any permission. Then, they may request to create another account with elevated permissions. If they specify and get the companion-client-key variable to match the key of the first account, the server confirms that the key existed before, and the skipPrompt variable turns true. This is how another account can be created by the hacker without the need for PIN confirmation on TV. The server fails to verify if the key belongs to the correct account or not.
This is how the vulnerability CVE-2023-6317 can affect webOS LG TV. By creating a privileged account, attackers can now perform authenticated command injection to gain root access or run commands as a dbus user.
