Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

Local Root Exploit on Lenovo VIBE Mobile Phones

Local Root Exploit on Lenovo VIBE Mobile Phones

Local Root Exploit on Lenovo VIBE Mobile Phones

Lenovo Security Advisory: LEN-15823

Potential Impact:  Elevation of Privilege

Severity:  Medium

Scope of Impact: Lenovo specific

CVE Identifier: CVE-2017-3748, CVE-2017-3749, CVE-2017-3750

Summary Description:

Vulnerabilities have been identified on Lenovo VIBE Mobile Phones that allow the user or an attacker with physical possession of a device that is not protected with a secure lock screen, e.g. PIN/Password, to elevate privileges to the root user (commonly known as “rooting” or “jailbreaking” a device) with the ability to modify the device’s operation and functionality in myriad ways.

1. CVE-2017-3748 - Improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as ‘rooting’ or “jail breaking” a device).

2. CVE-2017-3749 - The Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750

3. CVE-2017-3750 - The Lenovo Security Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo does not advise end users to root devices as it may adversely affect device security & stability.

Users on older Android releases (earlier than Android 6.0 Marshmallow) are advised to take the following actions:

1)  If you have enabled the Android Developer Options menu on your device (uncommon), disable ADB when not in use

2)  Enable lock screen authentication mechanisms; e.g. PIN/Password protection

Product Impact:

Devices that have been upgraded to Android 6.0 Marshmallow are not affected. Select Lenovo products with an Android OS version earlier than 6.0 may be vulnerable to the root exploit.

●To determine the Android device OS version, go to:

                   Settings> About Phone > Device Information > Android version

●To determine the product model of your phone, go to:

                   Settings>About Phone > Device Information > Model number

●To check if software updates are available for your phone:

                   Settings>About Phone > System updates

If updates are available, follow the prompts to install.

Devices not impacted as they have already been upgraded:

A5860

A7010a48

A7020a40

A7020a48

K50-t3s

K50-t5

K51c78

K52e78

P1c58

P1c72

X3a40

X3c50

X3c70

Z90-3

Z90-7

Devices impacted on Android Lollipop that have been patched include:

A2010-a

A2010-l

A2020a40

A2580

A3580

A3690

A3860(t-3)

A3860(ts-3)

A3890

A3910e70

A3910t30

A5600

A5890

A6020a40

A6020a41

A6020a46

A6020i36

A7600

A7600-m

K31-t3-s

K32c36

K52t38

K920

P1ma40

S1La40

Affected products with no fix available:

(refer to the “Mitigation Strategy for Customers” section above)

A1600

A2560

A2800

A2860

A2880

A3000

A3500

A3600-d

A3600u

A3800-d

A3900

A6000

A6000-I

A6600

A6020i37

A6800

K30-E

K30-W-cu

K32c30

K80M

 

Acknowledgements: 

Lenovo thanks Jake Valletta from Mandiant.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

Date

Description

2 6/28/2017 Added CVE-2017-3749 and CVE-2017-3750. Fix information is identical to the earlier version of this advisory.

1

6/22/2017

initial Release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


Alias Id:LEN-15823
Document ID:PS500116
Original Publish Date:06/22/2017
Last Modified Date:06/29/2017