Four vulnerabilities (CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-6320) have recently been discovered affecting several versions of the webOS operating system used in LG smart TVs.
These vulnerabilities can provide an attacker with unauthorized access and control over affected TV devices, including authorization bypass, privilege escalation, and command input.
Although the vulnerable versions of LG's webOS are intended to be used only on local area networks (LANs), Shodan's Internet scan results indicate that potentially 91,000 devices worldwide are exposed and at risk on the Internet. Of these, more than 3,000 are in Latvia.
Successful exploitation of these vulnerabilities could allow an attacker to gain access to any accounts that are actively used on the TV equipment, or an attacker could attempt to gain access to other equipment on the user's home network, or the TV equipment itself could be compromised for further malicious activity.
The vulnerabilities affect the following versions:
- webOS 4.9.7 - 5.30.40 / LG43UM7000PLA,
- webOS 04.50.51 - 5.5.0 / OLED55CXPUA,
- webOS 0.36.50 - 6.3.3-442 / OLED48C1PUB,
- webOS 03.33.85 - 7.3.1-43 / OLED55A23LA.
Cert strongly recommends all owners of LG TVs to make sure that their devices have the latest security updates, which LG released on March 22 this year. This can be checked by going to Settings > Support > Software Update on the TV and clicking on "Check for Update".
