Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint

Vulnerability

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. The affected versions are webOS 5.5.0 - 04.50.51 running on OLED55CXPUA and webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB [1]. The vulnerability allows an attacker with authenticated access to inject arbitrary commands.

Exploitation

An attacker must have authenticated access to the webOS device to trigger the vulnerability. By sending a series of specially crafted requests to the vulnerable endpoint, the attacker can inject operating system commands [1]. The specific steps involve manipulating the API input to execute commands as the dbus user.

Impact

Successful exploitation leads to command execution as the dbus user. Depending on further privileges, this could allow an attacker to gain root access, install malware, or access sensitive data on the device [1]. The scope of compromise is the TV set itself.

Mitigation

A patch was released by LG on March 22, 2024, as part of a firmware update [1]. Users should update their TV's firmware to the latest version available from LG's support website. No workaround is provided; updating is the only mitigation.