Full Report
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers vulnerabilities discovered while researching the LG WebOS TV operating system. We have found several issues affecting WebOS versions 4 through 7 running on LG TVs. These vulnerabilities let us gain root acces
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in LG webOS TV Leading to Remote Root Takeover
## CVE Details
- CVE ID: CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-6320
- CVSS Score: Not explicitly provided, but the context implies High/Critical severity due to root access being achievable.
- CWE: Not explicitly specified for all, but encompasses authorization bypass, command injection, and input validation errors.
## Affected Systems
- Products: LG WebOS TV Operating System
- Versions: WebOS versions 4 through 7. Specific vulnerable tracks include:
- webOS 4.9.7 - 5.30.40 (e.g., LG43UM7000PLA)
- webOS 5.5.0 - 04.50.51 (e.g., OLED55CXPUA)
- webOS 6.3.3-442 - 03.36.50 (e.g., OLED48C1PUB)
- webOS 7.3.1-43 - 03.33.85 (e.g., OLED55A23LA)
- Configurations: Service intended for LAN access is exposed to the Internet on some devices (over 91,000 identified via Shodan).
## Vulnerability Description
Researchers discovered a chain of vulnerabilities in LG webOS TVs (versions 4-7) that allows an attacker to bypass authentication (PIN verification) and achieve full root access.
1. **CVE-2023-6317 (Authorization Bypass):** An attacker can bypass the required PIN verification when setting up a connection (likely leveraging the LG ThinkQ app service on ports 3000/3001). By skillfully manipulating the `skipPrompt` variable using existing or newly created "no permission" accounts, an unauthorized privileged user profile can be created.
2. **CVE-2023-6318 (Authenticated Root Command Injection):** After gaining a privileged account, this vulnerability in the `com.webos.service.cloudupload` service allows command injection leading to root access. It involves chaining three authenticated endpoints (`createAlert`, vulnerable service call, and `closeAlert`) to execute commands via the `processAnalyticsReport` method without sanitizing the `reportFile` parameter.
3. **CVE-2023-6319 (Authenticated Command Injection to Root):** In the `com.webos.service.attachedstoragemanager`, manipulating the `fullPath` parameter in `getAudioMetadata` allows command injection when processing malicious `.lrc` (lyrics) files. This also requires chained authenticated calls.
4. **CVE-2023-6320 (Authenticated Command Injection as dbus):** Manipulation of the `com.webos.service.connectionmanager/tv/setVlanStaticAddress` endpoint allows authenticated users to inject parameters (`ip_address`, `bcast_address`, `netmask`) directly into a system command, executing code as the `dbus` user (which has permissions similar to `root`).
## Exploitation
- Status: Researcher proof-of-concept (PoC) demonstrated leading to root access. Not explicitly stated as exploited in the wild, but the potential attack surface is large.
- Complexity: Medium to High, as it requires a sequence of authenticated and chained requests following the initial authorization bypass.
- Attack Vector: Network (LAN or Internet if the service is exposed).
## Impact
- Confidentiality: High (Full system access implies ability to read all data).
- Integrity: High (Ability to modify system files and configuration).
- Availability: High (Ability to render the device unusable).
## Remediation
### Patches
LG has released patches covering all reported issues. Owners should apply the latest firmware updates provided by LG. (Specific patch versions are not listed, only the release date of March 22, 2024).
### Workarounds
No official workarounds were detailed, but based on the vulnerability context (service running on ports 3000/3001):
1. Ensure the TV management service is **not accessible from external networks (WAN)**.
2. If possible, restrict local network access or monitor traffic to these services until patching is complete.
## Detection
- Indicators of compromise (IOCs): Unexpected creation of new user profiles, execution of system binaries via API calls, presence of suspicious files in `/media/internal/downloads/`.
- Detection methods and tools: Monitoring authenticated API traffic to common webOS services (e.g., `com.webos.service.connectionmanager`, `system.notifications`) for unusual parameters or chained sequences matching the PoC logic.
## References
- Vendor advisories: lgsecurity.lge.com/bulletins/tv#updateDetails
- Firmware Updates: lg.com/us/support/software-firmware-drivers