Over 90,000 LG Smart TVs may be exposed to remote attacks

Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs. The flaws enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection.
The potential attacks hinge on the ability to create arbitrary accounts on the device using a service that runs on ports 3000/3001, which is available for smartphone connectivity, using a PIN. Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks settings, Shodan internet scans show 91,000 exposed devices that are potentially vulnerable to the flaws.
CVE-2023-6317 allows attackers to bypass the TV's authorization mechanism by exploiting a variable setting, enabling the addition of an extra user to the TV set without proper authorization.
CVE-2023-6318 is an elevation of privilege vulnerability that allows attackers to gain root access following the initial unauthorized access provided by CVE-2023-6317.
CVE-2023-6319 involves operating system command injection via manipulation of a library responsible for displaying music lyrics, allowing execution of arbitrary commands.
CVE-2023-6320 permits authenticated command injection by exploiting the com.
Connectionmanager/tv/setVlanStaticAddress API endpoint, enabling command execution as the dbus user, which has similar permissions to the root user.
The vulnerabilities impact webOS 4.9.7 - 5.30.40 on LG43UM7000PLA, webOS 04.50.51 - 5.5.0 on OLED55CXPUA, webOS 0.36.50 - 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 - 7.3.1-43 on OLED55A23LA. Bitdefender reported its findings to LG on November 1, 2023, but it took the vendor until March 22, 2024, to release the related security updates.
Though LG TVs alert users when important WebOS updates are available, those can be postponed indefinitely.
Applying WebOS updates automatically when available can be enabled from the same menu.
Though TVs are less critical in terms of security, the severity of remote command execution remains potentially significant in this case as it could give attackers a pivot point to reach other, more sensitive devices connected to the same network.
Smart TVs often have applications that require accounts, like streaming services, which the attacker could potentially steal to take control of those accounts.
Finally, vulnerable TVs can be compromised by malware botnets that enlist them in distributed denial of service attacks or used for cryptomining.
QNAP warns of critical auth bypass flaw in its NAS devices.
Over 92,000 exposed D-Link NAS devices have a backdoor account.
ScreenConnect critical bug now under attack as exploit code emerges.
New SharePoint flaws help hackers evade detection when stealing files.
Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Apr 2024 15:30:09 +0000


Cyber News related to Over 90,000 LG Smart TVs may be exposed to remote attacks

Over 90,000 LG Smart TVs may be exposed to remote attacks - Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs. The flaws enable varying degrees of unauthorized access and control over affected models, ...
7 months ago Bleepingcomputer.com
Cybersecurity In Critical Infrastructure: Protecting Power Grids and Smart Grids - Cyber Defense Magazine - Network Intrusion: Network communication systems of power and smart grids can be intruded through weak security configurations like default password, unsecured remote access, or unpatched systems and other vulnerabilities to gain control into the ...
1 month ago Cyberdefensemagazine.com
Smart Home Technology: Your Gateway to Modern Living - Smart home technology offers homeowners an array of benefits, from increased convenience and comfort to enhanced safety and energy savings. Smart home technology offers convenience, comfort, safety, and energy savings. Smart home technology provides ...
11 months ago Securityzap.com
Choosing the Perfect Smart Lock for Your Home Security - Installing a smart lock on your home is like building a wall of protection around it. In this article, we will explore the benefits of using smart locks, different types of technology available, security features offered, factors to consider when ...
11 months ago Securityzap.com
Smart Thermostats: Savings and Comfort at Your Fingertips - Smart thermostats offer a modern approach to home temperature control that can provide significant energy savings and enhanced comfort. Smart thermostats offer cost effectiveness, improved indoor air quality, enhanced comfort and convenience, and ...
11 months ago Securityzap.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Creating a Smart Home Ecosystem: Seamless Connectivity - Like a finely tuned symphony, creating a smart home ecosystem has the potential to bring harmony and convenience to everyday life. Establishing an interconnected network of digital devices to enable user-controlled automation of various household ...
11 months ago Securityzap.com
Smart Home Security Essentials: Protecting What Matters Most - Smart home security systems provide homeowners with the ability to keep their personal and property safe from intruders, theft, and other potential threats. This article will discuss different types of smart home security systems, benefits, setting ...
11 months ago Securityzap.com
CVE-2024-35292 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
5 months ago Tenable.com
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
11 months ago Bleepingcomputer.com
Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day - More than 40,000 Cisco devices running the IOS XE operating system have been compromised after hackers exploited a recently disclosed maximum severity vulnerability tracked as CVE-2023-20198. There is no patch or a workaround available and the only ...
11 months ago Bleepingcomputer.com
CVE-2019-13945 - A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All ...
4 years ago
49 unique zero-days Uncovered in Pwn2Own Automotive - On the final day of Pwn2Own Automotive 2024 - Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each ...
9 months ago Cybersecuritynews.com
LG releases updates for vulnerabilities that could allow hackers to gain access to TVs - Four new vulnerabilities affecting thousands of LG TVs have been found by researchers who said the issues could allow hackers to add themselves as users and take other actions. Researchers from cybersecurity firm Bitdefender said the bugs - three of ...
7 months ago Therecord.media
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
11 months ago Bleepingcomputer.com
Number of hacked Cisco IOS XE devices plummets from 50K to hundreds - The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously plummeted from over 50,000 impacted devices to only a few hundred, with researchers unsure what is causing the sharp decline. This week, Cisco warned that ...
11 months ago Bleepingcomputer.com
Hugging Face API tokens exposed, major projects vulnerable The Register - The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. Researchers at Lasso Security found more than 1,500 exposed API tokens on the open ...
11 months ago Go.theregister.com
Android game dev's Google Drive misconfig highlights cloud security risks - Japanese game developer Ateam has proven that a simple Google Drive configuration mistake can result in the potential but unlikely exposure of sensitive information for nearly one million people over a period of six years and eight months. The ...
10 months ago Bleepingcomputer.com
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked - Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but ...
11 months ago Bleepingcomputer.com
Vulnerability Recap 4/15/24: Palo Alto, Microsoft, Ivanti Exploits - Typically, these vulnerabilities result in remote code execution or denial-of-service attacks, posing major dangers to users' data security. Multiple Vulnerabilities Discovered in LG WebOS Smart TVs. Type of vulnerability: Authorization bypass, ...
7 months ago Esecurityplanet.com
How Smart Car is Probably Tracking You? - According to ExpressVPN, there's a concerning number of car manufacturers that collect data on their drivers, and an impressive 84% of them then share or sell this data. Connected to the car's Wi-Fi network, modern smart cars' infotainment systems ...
10 months ago Cybersecuritynews.com
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
10 months ago Blog.checkpoint.com
Bosch Smart Thermostat Feels the Heat From Firmware Bug - A critical vulnerability has been discovered in the widely used, Web-connected Bosch BCC100 thermostat, which is a popular device in hospitality environments. Exploiting this flaw could lead to local unauthorized access, enabling attackers to ...
10 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)