Electronics manufacturer LG patched four vulnerabilities in webOS 4, 5, 6 and 7 at the end of March. This is reported by security company Bitdefender. Some of these vulnerabilities made it possible to take over webOS televisions remotely.
According to Bitdefender researchers, the following vulnerabilities concern: CVE-2023-6317, CVE-2023-6318, CVE-2023-6319 and CVE-2023-6320. The researchers write that the first vulnerability made it possible to bypass the authorization of the webOS operating system and create a new user account on the televisions. This worked via a service that runs on network ports 3000 and 3001, which are used for smartphone connectivity.
The second vulnerability, CVE-2023-6318, allowed the new user account to be given root access. This made it possible to take over the entire television set. Finally, vulnerabilities CVE-2023-6319 and CVE-2023-6320 made it possible to perform a command injection on the affected webOS televisions.
Bitdefender reported the vulnerabilities to LG on November 1, 2023. The South Korean electronics manufacturer confirmed the existence of the leaks on November 15. On March 22, 2024, an update was rolled out containing a security patch for the leaks. Bitdefender's findings have only now been released. The vulnerabilities were in certain versions of webOS 4, 5, 6 and 7. Bitdefender mentions several specific versions and television models.
Vulnerable versions LG webOS (via Bitdefender) LG webOS 4.9.7 – 5.30.40(on LG43UM7000PLA) LG webOS 04.50.51 – 5.5.0 (on OLED55CXPUA) LG webOS 0.36.50 – 6.3.3-442< /strong> (on OLED48C1PUB) LG webOS 03.33.85 – 7.3.1-43 (on OLED55A23LA)