As many as 91,000 LG TVs face the risk of being commandeered unless they receive a just-released security update patching four critical vulnerabilities discovered late last year.
The vulnerabilities are found in four LG TV models that collectively comprise slightly more than 88,000 units around the world, according to results returned by the Shodan search engine for Internet-connected devices. The vast majority of those units are located in South Korea, followed by Hong Kong, the US, Sweden, and Finland. The models are:
- LG43UM7000PLA running webOS 4.9.7 - 5.30.40
- OLED55CXPUA running webOS 5.5.0 - 04.50.51
- OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50
- OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) - 03.33.85
Starting Wednesday, updates are available through these devices’ settings menu.
Got root?
According to Bitdefender—the security firm that discovered the vulnerabilities—malicious hackers can exploit them to gain root access to the devices and inject commands that run at the OS level. The vulnerabilities, which affect internal services that allow users to control their sets using their phones, make it possible for attackers to bypass authentication measures designed to ensure only authorized devices can make use of the capabilities.
Advertisement“These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism,” Bitdefender researchers wrote Tuesday. “Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet.”
The key vulnerability making these threats possible resides in a service that allows TVs to be controlled using LG’s ThinkQ smartphone app when it’s connected to the same local network. The service is designed to require the user to enter a PIN code to prove authorization, but an error allows someone to skip this verification step and become a privileged user. This vulnerability is tracked as CVE-2023-6317.
Once attackers have gained this level of control, they can go on to exploit three other vulnerabilities, specifically:
- CVE-2023-6318, which allows the attackers to elevate their access to root
- CVE-2023-6319, which allows for the injection of OS commands by manipulating a library for showing music lyrics
- CVE-2023-6320, which lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress application interface.
The technical details
Bitdefender wrote:
A technical look into the discovered vulnerabilities
WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen. An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.
The function that handles account registration requests uses a variable called skipPrompt which is set to true when either the client-key or the companion-client-key parameters correspond to an existing profile. It also takes into consideration what permissions are requested when deciding whether to prompt the user for a PIN, as confirmation is not required in some cases.
We can request the creation of an account with no permissions, which will be automatically granted. Then we request another account with elevated permissions, but we specify the companion-client-key variable to match the key we got when we created the first account. The server will confirm that this key exists but will not verify if it belongs to the correct account. Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV.
This vulnerability, identified as CVE-2023-6317, has been confirmed to affect webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.
Having created a privileged account without user interaction, we now have access to a large attack surface that was inaccessible before. We have found two authenticated command injection vulnerabilities that lead to root access, and another that runs commands as the dbus user.
Authenticated command injection in the processAnalyticsReport method from the com.webos.service.cloudupload service
The processAnalyticsReport method requires three parameters: type, reportFile, and originalFile. When the type parameter is set to analytic the reportFile parameter will be passed to a system command without being sanitized.
Although requests to this method cannot be performed directly, we can use another endpoint, system.notifications/createAlert, to bypass this restriction, accessible only to authenticated users who have the WRITE_NOTIFICATION_TOAST permission. The onclose parameter supported by this endpoint allows us to perform internal requests to services that are not exposed, similar to SSRF. After we create the notification, we trigger the onclose call through the system.notifications/closeAlert endpoint, performing the request to the vulnerable endpoint.
The specified file must exist on the device, but we can bypass this constraint by using the download method from the com.webos.service.downloadmanager service, which will create a file in the /media/internal/downloads/ directory with an arbitrary filename. Both the processAnalyticsReport and download methods can be accessed through the createAlert endpoint.
The vulnerable command is created on line 83 and executed on line 84:
This vulnerability, identified as CVE-2023-6318, has been confirmed to affect webOS 5.5.0, 6.3.3-442, and 7.3.1-43.
Authenticated command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service
The getAudioMetadata method requires two parameters: deviceId and fullPath. While the deviceId parameter is not important, the fullPath parameter will be passed, under certain conditions, to a system command without being sanitized. If this parameter points to a file with the .mp3 extension the service will search in the same directory for the corresponding lyrics file with the same name (.lrc extension). If found, the first four bytes of the lyrics file will be compared with the sequence xFFxFEx00x00. If they match (meaning that the file is UTF1632 encoded) the service will try to decode it using the iconv binary. This binary will be called together with the full filename without prior sanitization, leading to command injection.
Both the .mp3 and .lrc files must exist on the device and can be created using the download method mentioned earlier. All required methods can be accessed through the createAlert endpoint.
The vulnerable code in convLrcStringByBinary from the asm binary:
This vulnerability, identified as CVE-2023-6319, has been confirmed to affect webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.
Authenticated command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint allows execution of commands on the device as dbus
The setVlanStaticAddress endpoint requires three parameters: ip_address, bcast_address, and netmask. All three parameters will be passed to a system command without being sanitized. Before calling this endpoint, we must first call the createVirtualLan endpoint. These endpoints require the READ_NETWORK_STATE permission.
Although the user that executes the commands is dbus, this account has similar permissions as the root user.
Vulnerable code in handle_set_vlan_static_address_command from libwca2.so library:
This vulnerability, identified as CVE-2023-6320, has been confirmed to affect webOS 5.5.0 and 6.3.3-442.
According to LG support pages, both the phone and TV must be connected to the same network for the ThinkQ app to work. A Bitdefender representative confirmed by email that local access is required to exploit the vulnerabilities but noted that once compromised, the sets could be controlled remotely from then on.
AdvertisementIn any event, the vulnerabilities are serious enough to warrant patching since someone with unauthorized access to a TV could potentially access connected paid accounts, monitor viewing habits, install apps, or possibly enroll devices in a botnet. It's unclear why so many LG TVs are appearing in Shodan results. There's rarely a legitimate reason for exposing most Internet of Things devices to the Internet, particularly a TV. Instead, they should be confined behind a router so they are never visible to the outside world. People can check to see what devices their networks are exposing by using free port-scanning tools such as this one.
While many sets are configured to install updates automatically, it’s worth checking the firmware settings to ensure that the most recent version is installed. The precise instructions vary from model to model but generally involve navigating to: Settings > All Settings > Support and then selecting Software Update and then selecting Check for Updates. If an update is available, then select Download and Install. LG has instructions here and here.
