Critical LG TV Vulnerabilities Allow for Command Execution

LG TV Critical Vulnerabilities Uncovered
LG TV users are advised to update the software to the latest version due to the 4 critical security flaws

LG reports fixing four critical vulnerabilities discovered in many of its TVs. These vulnerabilities were found back in 2023, and could allow malicious actors to gain control of affected LG TVs. Good news – the attacker should connect to the same network to exploit the flaw. Bad news – they can continue using the device afterwards from anywhere.

LG TV Critical Vulnerabilities Uncovered

LG reports addressing 4 critical vulnerabilities discovered in many of its TVs. The company released patches to different versions of their operating system to fix the issue in the way it interacts with LG ThinQ app. These vulnerabilities were uncovered late last year and could affect four specific LG TV models. Among them, CVE-2023-6317 is particularly emphasized on as it effectively opens the device to further exploitation.

The main tricky part about this vulnerability is that it requires being connected to the very same network as the TV does. This drastically complicates the exploitation, potentially making the flaw much less critical. However, a check through the Shodan search engine reveals that there are at least 91,000 devices exposed to the global network, i.e. they can be exploited remotely. Every single one of them is a perfect target for botnets like Mirai or InfectedSlurs.

Potentially vulnerable devices  list
Potentially vulnerable devices accessed remotely

By exploiting these security flaws, malicious actors can attain root access to the devices, allowing them to execute commands at the operating system level. The vulnerabilities stem from internal services that control TVs using LG’s ThinkQ smartphone app within the same local network. Analysis done by BitDefender researchers describes all the flaws in details – here are some of the most interesting facts.

Technical Insights

Further analysis shows that these vulnerabilities have intricate workings. By exploiting errors in account handling mechanisms, attackers can circumvent PIN verification and create privileged user profiles. Subsequent attacks involve injecting OS commands and granting unauthorized access and control over the affected devices.

The procedure of CVE-2023-6317 exploitation is particularly simple, though involves some tinkering with the variables sent during the authentication process. First, the adversary should create an unprivileged account in the ThinQ app, which does not require entering a PIN on the TV. Second, they attempt creating the privileged account, while specifying the companion-client-key of the just created unprivileged account. Due to the lack of key source verification, creating a privileged account will be successful, opening gates for exploiting other 3 flaws.

Key Vulnerabilities

CVE-2023-6317 has CVSS 7.2 and allows the bypass of the second screen.gateway service running on webOS versions 4 through 7. An attacker can create a privileged account without asking the user for the security PIN. This vulnerability affects webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.

CVE-2023-6318 (CVSS 9.1) is a command injection vulnerability in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS versions 5 through 7. Specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability in webOS 5.5.0, 6.3.3-442, and 7.3.1-43.

CVE-2023-6319 (CVSS 9.1) is the OS command injection vulnerability in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service. The vulnerability affects webOS versions 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43. It could allow authenticated command injection due to the lack of proper sanitization of the fullPath parameter.

CVE-2023-6320 (also CVSS 9.1) affects webOS 5.5.0 and 6.3.3-442. It allows authenticated command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint can execute commands on the device as dbus, with permissions similar to those of the root user.

LG Releases Urgent TV OS Updates

As mentioned above, LG has released an update that fixes these vulnerabilities. The repercussions of these vulnerabilities are grave, as unauthorized access could lead to the exploitation of personal data, unauthorized app installations, or even the enlistment of devices into botnets. So, it’s imperative for LG TV owners to apply the available security updates as soon as possible.

While LG TVs are typically set to receive updates automatically, users are advised to verify that their devices are manually running the latest firmware version. By navigating through the settings menu, users can check for updates and ensure their TVs are fortified against potential threats. Also, for minimizing similar risks in future, users should close the access to the device from outside the network. The requirement to be in the same network diminishes any possibility for using the exploit in cyberattacks, making it just about mischieving someone.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *