CVE-2022-23730 – CVE-2022-23730 is an API access control bypass ... (How to Fix)

Q: What is the severity of CVE-2022-23730?

CVE-2022-23730 has a CVSS score of 9.8 (CRITICAL). CVE-2022-23730 is an API access control bypass vulnerability in LG webOS TV software that allows attackers to bypass authentication mechanisms and gain unauthorized access to protected API endpoints. This affects LG smart TVs running vulnerable webOS versions, potentially exposing sensitive TV functions and user data to remote attackers.

📋 TL;DR

CVE-2022-23730 is an API access control bypass vulnerability in LG webOS TV software that allows attackers to bypass authentication mechanisms and gain unauthorized access to protected API endpoints. This affects LG smart TVs running vulnerable webOS versions, potentially exposing sensitive TV functions and user data to remote attackers.

💻 Affected Systems

Products:

LG webOS smart TVs

Versions: webOS 4.9.7 - 7.3.1-442 (kisscurl-kinglake) and earlier versions

Operating Systems: webOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects TVs with webOS TV software where the vulnerable API endpoints are enabled by default. Some models may have different firmware versions.

📦 What is this software?

Webos by Lg

View all CVEs affecting Webos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the TV system allowing remote code execution, unauthorized access to connected devices, credential theft, and potential lateral movement to other network devices.

🟠

Likely Case

Unauthorized access to TV functions, manipulation of settings, access to connected media services, and potential information disclosure from the TV's local network.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing external access to TV management interfaces.

🌐 Internet-Facing: HIGH - Smart TVs are often directly internet-connected with management interfaces exposed, making them accessible to remote attackers.

🏢 Internal Only: MEDIUM - Requires attacker to be on the local network, but many home/business networks have minimal segmentation between devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the public API error handling mechanism, making exploitation straightforward once the vulnerable endpoint is identified. Public exploit code exists demonstrating the bypass technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: webOS 7.3.1-443 (or later security updates)

Vendor Advisory: https://lgsecurity.lge.com/bulletins/tv

Restart Required: Yes

Instructions:

1. Navigate to TV Settings > General > About This TV > Check for Updates. 2. Install any available updates. 3. Restart the TV after installation completes. 4. Verify the webOS version is 7.3.1-443 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate smart TVs on a separate VLAN or network segment to prevent lateral movement from compromised TVs.

Firewall Rules

linux

Block external access to TV management ports (typically 3000-3002, 9998, 30005) at network perimeter.

iptables -A INPUT -p tcp --dport 3000:3002 -j DROP
iptables -A INPUT -p tcp --dport 9998 -j DROP
iptables -A INPUT -p tcp --dport 30005 -j DROP

🧯 If You Can't Patch

Disable TV's internet connectivity and use only as a display device
Place TV behind a firewall that blocks all incoming connections to TV management interfaces

🔍 How to Verify

Check if Vulnerable:

Check webOS version in TV Settings > General > About This TV. If version is between 4.9.7 and 7.3.1-442, the TV is vulnerable.

Check Version:

curl -X GET http://[TV_IP]:3000/sdk/v1/service/getApp || Check TV settings menu

Verify Fix Applied:

Verify webOS version is 7.3.1-443 or higher. Test API endpoints that were previously vulnerable to confirm authentication is now enforced.

📡 Detection & Monitoring

Log Indicators:

Unauthorized API access attempts to /sdk/v1/service/* endpoints
Authentication bypass patterns in webOS logs
Multiple failed authentication attempts followed by successful unauthorized access

Network Indicators:

Unusual traffic to TV management ports (3000-3002, 9998, 30005) from external IPs
API calls without proper authentication headers
Traffic patterns indicating enumeration of TV API endpoints

SIEM Query:

source="webos_logs" AND ("authentication bypass" OR "unauthorized api" OR "/sdk/v1/service/")

📊 Metadata

CVE ID: CVE-2022-23730

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://lgsecurity.lge.com/bulletins/tv Vendor Advisory
https://lgsecurity.lge.com/bulletins/tv Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23730, you might also want to check these: