More than 91,000 LG TVs with webOS are vulnerable to hacking.

Researchers have discovered several vulnerabilities in LG webOS, running on smart TVs, that could allow attackers to gain root access to the devices. Researchers from Bitdefender found multiple vulnerabilities in LG webOS, which operates on smart TVs, that can be exploited to bypass authentication and obtain root access to the devices. The identified vulnerabilities affect webOS versions 4 through 7, running on LG TVs.

According to the message:

“WebOS launches a service on ports 3000/3001 (HTTP/HTTPS/WSS), which is used by the LG ThinkQ app on smartphones to control the TV.

Researchers noted that despite the fact that the vulnerable service is intended only for access to the LAN, a query in Shodan revealed over 91,000 devices that provide access to this service over the internet. Currently, the number of vulnerable devices has decreased to 88,000. Most of the devices accessing the internet are located in South Korea, Hong Kong, the USA, Sweden, and Finland.

List of vulnerabilities:

• CVE-2023-6317- Problem of bypassing authentication
• CVE-2023-6318- Privilege escalation issue
• CVE-2023-6319- A vulnerability that allows the injection of operating system commands
• CVE-2023-6320- A vulnerability that allows the insertion of authenticated commands

Vulnerabilities affect the following versions of webOS: webOS 4.9.7 - 5.30.40, webOS 5.5.0 - 04.50.51, webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50, webOS 7.3.1-43 (mullet-mebin) - 03.33.85.

Chronology of disclosure:

• November 1, 2023: Supplier Disclosure
• November 15, 2023: The supplier confirms the vulnerabilities
• December 14, 2023: The supplier is requesting an extension.
• March 22, 2024: Patch Release
• April 9, 2024: Public release of this report

Follow me on Twitter: @securityaffairs and on Facebook and Mastodon Pierluigi Paganini (SecurityAffairs - hacking, smart TVs).