Father
Professional
- Messages
- 2,602
- Reaction score
- 760
- Points
- 113
Several vulnerabilities in webOS at once unleash the hands of cybercriminals.
Researchers from Bitdefender discovered four vulnerabilities in several versions of webOS, the operating system used in LG smart TVs. These flaws allow attackers to gain unauthorized access and control over devices at various levels, including authorization bypass, privilege escalation, and command injection.
The vulnerabilities are based on the ability to create custom accounts on the device using a service that works through ports 3000/3001, designed to connect smartphones using a PIN code. Internet scans have identified 91,000 devices that are accessible online and potentially vulnerable to these vulnerabilities.
So, among the identified security flaws:
The identified vulnerabilities affect specific versions of the webOS operating system on the following TV models:
Bitdefender reported these flaws to LG on November 1, 2023, but only after more than four months, on March 22, 2024, the company finally released the corresponding security updates.
Despite the fact that LG TVs notify users of important webOS updates, they can be postponed indefinitely. Therefore, experts recommend that you immediately apply all available updates through the TV settings menu.
Although TVs are not digital security-critical, the ability to execute commands remotely remains a significant threat, as it can give attackers a point to further attack other devices on the network.
In addition, attackers can steal credentials from streaming services or other services that the user entered into the operating system.
Vulnerable TVs can also be used for spreading malware, participating in DDoS attacks, or for cryptocurrency mining, which can directly affect their performance and, if they work for a long time, wear and tear, and the durability of this work.
Researchers from Bitdefender discovered four vulnerabilities in several versions of webOS, the operating system used in LG smart TVs. These flaws allow attackers to gain unauthorized access and control over devices at various levels, including authorization bypass, privilege escalation, and command injection.
The vulnerabilities are based on the ability to create custom accounts on the device using a service that works through ports 3000/3001, designed to connect smartphones using a PIN code. Internet scans have identified 91,000 devices that are accessible online and potentially vulnerable to these vulnerabilities.
So, among the identified security flaws:
- CVE-2023-6317: Bypassing the TV authorization mechanism, allowing you to add an additional user without proper authorization (CVSS score 7.2);
- CVE-2023-6318: Upgrade to root after initial access (CVSS 9.1 rating);
- CVE-2023-6319: Implementation of operating system commands by manipulating the library responsible for displaying musical texts (CVSS 9.1 rating);
- CVE-2023-6320: Authenticated execution of commands on behalf of a dbus user with similar privileges to root (CVSS 9.1 rating).
The identified vulnerabilities affect specific versions of the webOS operating system on the following TV models:
- webOS from 4.9.7 to 5.30.40 on LG43UM7000PLA;
- webOS from 04.50.51 to 5.5.0 on OLED55CXPUA;
- webOS 0.36.50 to 6.3.3-442 on OLED48C1PUB.
- webOS from 03.33.85 to 7.3.1-43 on OLED55A23LA.
Bitdefender reported these flaws to LG on November 1, 2023, but only after more than four months, on March 22, 2024, the company finally released the corresponding security updates.
Despite the fact that LG TVs notify users of important webOS updates, they can be postponed indefinitely. Therefore, experts recommend that you immediately apply all available updates through the TV settings menu.
Although TVs are not digital security-critical, the ability to execute commands remotely remains a significant threat, as it can give attackers a point to further attack other devices on the network.
In addition, attackers can steal credentials from streaming services or other services that the user entered into the operating system.
Vulnerable TVs can also be used for spreading malware, participating in DDoS attacks, or for cryptocurrency mining, which can directly affect their performance and, if they work for a long time, wear and tear, and the durability of this work.
