Apr 09, 2024NewsroomVulnerability / IoT Security

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices.

The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and impact the following versions of webOS –

• webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

A brief description of the shortcomings is as follows –

• CVE-2023-6317 – A vulnerability that allows an attacker to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction

• CVE-2023-6318 – A vulnerability that allows the attacker to elevate their privileges and gain root access to take control of the device

• CVE-2023-6319 – A vulnerability that allows operating system command injection by manipulating a library named asm responsible for showing music lyrics

• CVE-2023-6320 – A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

Successful exploitation of the flaws could allow a threat actor to gain elevated permissions to the device, which, in turn, can be chained with CVE-2023-6318 and CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary commands as the dbus user.

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” Bitdefender said. A majority of the devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.

Jan 15, 2024NewsroomOperational Technology / Network Security

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems.

Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to alter the device firmware and implant a rogue version.

Tracked as CVE-2023-49722 (CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023.

“A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an unauthenticated connection from a local WiFi network,” the company said in an advisory.

The issue, at its core, impacts the WiFi microcontroller that acts as a network gateway for the thermostat’s logic microcontroller.

By exploiting the flaw, an attacker could send commands to the thermostat, including writing a malicious update to the device that could either render the device inoperable or act as a backdoor to sniff traffic, pivot onto other devices, and other nefarious activities.

Bosch has corrected the shortcoming in firmware version 4.13.33 by closing the port 8899, which it said was used for debugging purposes.

The German engineering and tech company has also been made aware of over two dozen flaws in Rexroth Nexo cordless nutrunners that an unauthenticated attacker could abuse to disrupt operations, tamper with critical configurations, and even install ransomware.

“Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening,” Nozomi Networks said.

The flaws, the operational technology (OT) security firm added, could be used to obtain remote execution of arbitrary code (RCE) with root privileges, and make the pneumatic torque wrench unusable by hijacking the onboard display and disabling the trigger button to demand a ransom.

“Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner,” the company added.

Patches for the vulnerabilities, which impact several NXA, NXP, and NXV series devices, are expected to be shipped by Bosch by the end of January 2024. In the interim, users are recommended to limit the network reachability of the device as much as possible and review accounts that have login access to the device.

The development comes as Pentagrid identified several vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices, one which could be leveraged by a user with access to the web interface to execute arbitrary commands as root on the underlying Linux host.