LG has addressed four critical vulnerabilities found in numerous TV models, dating back to 2023, which could grant control to malicious actors. Although attackers need to be on the same network to exploit the flaw, they can retain control from any location afterward.
Critical vulnerabilities have been uncovered in LG TVs
LG has addressed 4 critical vulnerabilities discovered in many of its TVs, releasing patches to different versions of their operating system to fix the issue in the way it interacts with the LG ThinQ app. Uncovered late last year, these vulnerabilities could affect four specific LG TV models, with CVE-2023-6317 highlighted for its potential to open the device to further exploitation.
While exploiting this vulnerability requires being connected to the same network as the TV, making it less critical, a Shodan search shows over 91,000 devices exposed globally, susceptible to remote exploitation by botnets like Mirai or InfectedSlurs.
Exploiting these security flaws grants malicious actors root access, enabling them to execute commands at the operating system level. These vulnerabilities originate from internal services governing TVs via LG’s ThinQ smartphone app within the same local network. BitDefender researchers’ analysis delves into the flaws, offering detailed insights into their workings.
Exploiting CVE-2023-6317 involves some manipulation of authentication process variables. First, the attacker creates an unprivileged account in the ThinQ app, bypassing the need for a PIN on the TV. Next, they try to create a privileged account, specifying the companion-client-key of the previously created unprivileged account. Due to the absence of key source verification, the creation of a privileged account succeeds, facilitating exploitation of the other three flaws.
Vulnerabilities
CVE-2023-6317, with a CVSS score of 7.2, enables bypassing the second screen.gateway service present in webOS versions 4 through 7. Exploiting this vulnerability allows an attacker to create a privileged account without requiring the user’s security PIN. Affected versions include webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.
CVE-2023-6318, with a CVSS score of 9.1, is a command injection vulnerability found in the processAnalyticsReport method within the com.webos.service.cloudupload service on webOS versions 5 through 7. Crafted requests can result in command execution with root user privileges. This vulnerability can be triggered by authenticated requests in webOS versions 5.5.0, 6.3.3-442, and 7.3.1-43.
CVE-2023-6319, rated with a CVSS score of 9.1, is an OS command injection vulnerability present in the getAudioMetadata method within the com.webos.service.attachedstoragemanager service. This flaw impacts webOS versions 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43. It could permit authenticated command injection by exploiting the insufficient sanitization of the fullPath parameter.
CVE-2023-6320, rated with a CVSS score of 9.1, impacts webOS versions 5.5.0 and 6.3.3-442. It enables authenticated command injection through the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint, granting the ability to execute commands on the device as dbus, with permissions akin to those of the root user.
Users should promptly update their LG TVs to the latest firmware version and restrict external access to the device to mitigate potential security risks.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment