Several security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and obtain root obtain on the gadgets.
The conclusions appear from Romanian cybersecurity agency Bitdefender, which learned and documented the flaws in November 2023. The issues have been fixed by LG as component of updates introduced on March 22, 2024.
The vulnerabilities are tracked from CVE-2023-6317 by way of CVE-2023-6320 and impression the following variations of webOS –
- webOS 4.9.7 – 5.30.40 working on LG43UM7000PLA
- webOS 5.5. – 04.50.51 operating on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 managing on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 jogging on OLED55A23LA
A transient description of the shortcomings is as follows –
- CVE-2023-6317 – A vulnerability that makes it possible for an attacker to bypass PIN verification and include a privileged consumer profile to the Tv set set without requiring consumer conversation
- CVE-2023-6318 – A vulnerability that permits the attacker to elevate their privileges and gain root accessibility to choose control of the system
- CVE-2023-6319 – A vulnerability that enables running system command injection by manipulating a library named asm dependable for showing new music lyrics
- CVE-2023-6320 – A vulnerability that will allow for the injection of authenticated instructions by manipulating the com.webos.services.connectionmanager/television set/setVlanStaticAddress API endpoint
Profitable exploitation of the flaws could make it possible for a risk actor to attain elevated permissions to the machine, which, in convert, can be chained with CVE-2023-6318 and CVE-2023-6319 to acquire root obtain, or with CVE-2023-6320 to operate arbitrary commands as the dbus consumer.
“Though the susceptible service is supposed for LAN access only, Shodan, the research engine for Internet-related equipment, identified above 91,000 units that expose this assistance to the Internet,” Bitdefender said. A greater part of the gadgets are positioned in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.
Discovered this article appealing? Adhere to us on Twitter and LinkedIn to browse additional distinctive written content we put up.
Some parts of this article are sourced from:
thehackernews.com