PIN/prompt bypass on the secondscreen.gateway service allows access to the SSAP API without user interaction

Vulnerability

The secondscreen.gateway service on webOS versions 4 through 7 contains a prompt bypass vulnerability. By setting a specific variable, an attacker can add a new user without providing the security PIN. Affected versions include webOS 4.9.7 - 5.30.40 (LG43UM7000PLA), webOS 5.5.0 - 04.50.51 (OLED55CXPUA), webOS 6.3.3-442 - 03.36.50 (OLED48C1PUB), and webOS 7.3.1-43 - 03.33.85 (OLED55A23LA) [1].

Exploitation

An attacker with network access to the vulnerable service (typically on ports 3000/3001) can send a crafted request that sets a variable to bypass the PIN prompt, thereby creating a privileged account. The service is intended for LAN access but over 91,000 devices were found exposed on the Internet via Shodan [1]. No user interaction is required.

Impact

Successful exploitation allows the attacker to create a privileged account on the TV, bypassing the standard PIN-based authentication. This account can then be used to further compromise the device, such as exploiting CVE-2023-6318 to gain root access and full control [1].

Mitigation

LG released a patch on March 22, 2024. Users should update their TV firmware to the latest version provided by the manufacturer. No workarounds are available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].