WARNING: CRITICAL VULNERABILITIES IN LG WEBOS TELEVISION SOFTWARE, PATCH IMMEDIATELY!
CVE-2023-6317 :CVSS 7.2(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
CVE-2023-6318 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-6319 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2023-6320 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
Bitdefender - https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
Risks
Multiple vulnerabilities have been discovered in several LG TV models running webOS. These vulnerabilities could be exploited by malicious actors to compromise the devices. The vulnerabilities allow for attackers to create a new privileged user account and take over the device. The attackers need to have network access to exploit these devices. If your devices are not directly reachable from the internet, it can only be exploited by someone on the local network.
Access to a compromised devices could be used to pivot into the rest of your network or organization. The Centre for Cybersecurity Belgium notes that these types of devices, and other smart/IoT devices, are often exploited to become part of a larger botnet being used for all types of criminal cyber activities.
Description
The following vulnerabilities can be used to compromise a webOS device. CVE-2023-6317 is used for initial access into the device. CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320 can be used to elevate privileges and deeper control of the device. The device needs to be reachable from the internet to be remotely exploited, for example if it is directly attached to the internet with a public IP address or if a port forward to the device is configured to make it reachable.
CVE-2023-6317
An attacker can create a privileged account without asking the user for the security PIN on LG webOS versions 4 through 7.
CVE-2023-6318
Specially crafted malicious requests can lead to command execution as the root user on LG webOS versions 5 through 7.
CVE-2023-6319
Specially crafted malicious requests can lead to command execution as the root user on LG webOS versions 4 through 7.
CVE-2023-6320
Specially crafted malicious requests can lead to command execution as the dbus user on LG webOS versions 5 and 6.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
In most cases the TV will update itself automatically. Check for updates in the TV settings menu or on the LG website: https://www.lg.com/fr/ondersteuning/software-firmware for your specific model. Patches for these vulnerabilities were released on March 22nd 2024.
The Centre for Cybersecurity Belgium strongly recommends removing any direct access (such as port forwards) from the internet to smart/IoT devices, and if necessary, use VPN or zero-trust technology instead.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Security Affairs - https://securityaffairs.com/161651/hacking/lg-smart-tvs-vulnerable.html