Command injection in the processAnalyticsReport method from the com.webos.service.cloudupload service

Vulnerability

A command injection vulnerability exists in the processAnalyticsReport method of the com.webos.service.cloudupload service on webOS versions 5 through 7. The affected versions and models include webOS 5.5.0 - 04.50.51 on OLED55CXPUA, webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 on OLED48C1PUB, and webOS 7.3.1-43 (mullet-mebin) - 03.33.85 on OLED55A23LA [1]. The vulnerability arises when specially crafted requests are sent to the vulnerable service, allowing injection of operating system commands.

Exploitation

To exploit this vulnerability, an attacker must first bypass the authorization mechanism (CVE-2023-6317) to gain authenticated access to the TV set [1]. The attacker then sends a series of specially crafted requests to the processAnalyticsReport method. The service is intended for LAN access only, but over 91,000 devices were identified as exposing this service to the internet via Shodan [1]. No user interaction beyond the initial authentication is required.

Impact

Successful exploitation allows an attacker to execute arbitrary commands as the root user on the affected LG webOS TV [1]. This provides complete control over the device, including the ability to install malware, access sensitive data, or use the TV as a pivot point within a network. The privilege escalation from authenticated user to root is achieved through this vulnerability (CVE-2023-6318) [1].

Mitigation

LG released patches on March 22, 2024 [1]. Users should update their TV firmware to the latest version provided by LG for their specific model. The disclosure timeline indicates that the patch was made available before the public report on April 9, 2024 [1]. No workarounds are mentioned in the available references. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.