Full Report
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers vulnerabilities discovered while researching the LG WebOS TV operating system. We have found several issues affecting WebOS versions 4 through 7 running on LG TVs. These vulnerabilities let us gain root acces
Analysis Summary
# Vulnerability: Chain of Flaws Leading to Root Access in LG WebOS TV
## CVE Details
- CVE ID: CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-6320
- CVSS Score: Not explicitly provided, but the overall impact suggests **High** severity given root compromise potential.
- CWE: Varies (Authorization Bypass, Command Injection)
## Affected Systems
- Products: LG WebOS TV Operating System
- Versions:
- WebOS 4.x (e.g., 4.9.7)
- WebOS 5.x (e.g., 5.30.40, 5.5.0)
- WebOS 6.x (e.g., 6.3.3-442)
- WebOS 7.x (e.g., 7.3.1-43)
- Configurations: Any device exposing the LG ThinkQ service ports (3000/3001) to the Internet (over 91,000 devices identified via Shodan).
## Vulnerability Description
A chain of four vulnerabilities exists in LG WebOS versions 4 through 7, enabling an unauthenticated, remote attacker to gain full root access to the TV.
1. **CVE-2023-6317 (Authorization Bypass):** An error in the account handler allows an attacker to bypass the required PIN verification during service setup by manipulating the `skipPrompt` variable using existing client keys, enabling the creation of privileged user profiles without user interaction.
2. **CVE-2023-6318 (Authenticated Root Command Injection):** After achieving privileged access (via CVE-2023-6317), an attacker can achieve root by chaining two authenticated endpoints (`system.notifications/createAlert` and `system.notifications/closeAlert`) to trigger an unsanitized command injection in the `com.webos.service.cloudupload/processAnalyticsReport` method (when `type` is `analytic`). The file creation constraint is bypassed via the `com.webos.service.downloadmanager/download` service.
3. **CVE-2023-6319 (Authenticated Command Injection as dbus):** A second path to command injection is present in the `com.webos.service.attachedstoragemanager/getAudioMetadata` method. By crafting specific MP3 and LRC files, an attacker can inject commands (via the `iconv` binary) when attempting to read metadata/lyrics.
4. **CVE-2023-6320 (Authenticated Command Injection as dbus):** An attacker with necessary permissions can inject parameters into system commands via the `com.webos.service.connectionmanager/tv/setVlanStaticAddress` endpoint, leading to command execution as the `dbus` user (which has root-like permissions).
## Exploitation
- Status: Proof-of-Concept (PoC) likely available internally, as detailed steps for exploitation via chaining are provided which lead to root compromise.
- Complexity: **Medium** (Requires initial authorization bypass followed by chaining authenticated endpoints).
- Attack Vector: **Network** (The vulnerable service is intended for LAN access but is often internet-exposed).
## Impact
- Confidentiality: Potential High (Full system compromise)
- Integrity: Potential High (Remote code execution, modification of system files)
- Availability: Potential High (System disruption or device takeover)
## Remediation
### Patches
LG has released fixes and advises immediate application:
- Refer to LG PSRC advisories for specific patched firmware versions.
- **Action:** Apply manual or automatic firmware updates released by LG starting **March 22, 2024**.
### Workarounds
- Restrict network access to ports 3000 and 3001 (and associated D-Bus services) to trusted networks or IPs only, blocking external/Internet access to these ports, especially given the high number of publicly exposed devices.
## Detection
- **Indicators of Compromise:** Unexpected user accounts being created or modifications to network configuration settings (if CVE-2023-6320 is exploited).
- **Detection Methods and Tools:** Network monitoring for unsolicited traffic on ports 3000/3001 targeting the WebOS API endpoints described. Integrity checking of system binaries/files, though potentially complex for embedded devices.
## References
- Vendor advisories: [https://lgsecurity.lge.com/bulletins/tv#updateDetails]
- Firmware Updates: [https://www.lg.com/us/support/software-firmware-drivers]
- Shodan search result (for exposure context): `https://www.shodan.io/search?query=product%3A%22LG+webOs+TV%22`