SHAREit for Android Vulnerabilities

2017-05-08T00:00:00
ID LENOVO:PS500036-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-05-08T00:00:00

Description

Lenovo Security Advisory: LEN-6421
Potential Impact: Users with older Android versions may be vulnerable to remote code execution, or a UXSS attack and users with any Android version may be vulnerable to an intent scheme attack.
Severity: High

Lenovo SHAREit Application: End of Lenovo Support

Summary Description:
Vulnerabilities were identified on Android SHAREit versions lower than 3.5.98_ww. Lenovo recommends customers update to the latest version of SHAREit to mitigate these vulnerabilities.

SHAREit for Android is an application that may be preloaded on some Lenovo mobile devices or downloaded onto non-Lenovo Android devices that lets users share specified files and folders between smartphones, tablets and personal computers.

Fixes include
1. SHAREit for Android: When a user's Android device's OS version is earlier than 4.2, SHAREit Android versions lower than 3.5.98 are vulnerable to the following Android Remote Code Execution Vulnerabilities: CVE-2012-6636, CVE-2014-1939 or CVE-2014-7224.

2. SHAREit for Android: SHAREit Android versions lower than 3.5.98 are vulnerable to an intent scheme URL attack. This issue has been identified as CVE-2016-4782.

3. SHAREit for Android: When a user's Android device's OS version is earlier than 4.4, SHAREit Android versions lower than 3.5.98 are vulnerable to a UXSS attack. This issue has been identified as CVE-2016-4783.

Mitigation Strategy for Customers (what you should do to protect yourself):
Update to SHAREit for Android version 3.5.98_ww and above by going to the Google Play store and downloading the latest version available: https://play.google.com/store/apps/details?id=com.lenovo.anyshare.gps&hl=en

Acknowledgements:
Thanks to Nicky of Tencent Security Platform Department (CVE-2016-4782, CVE-2016-4783)

Other information and references:
CVE ID: CVE-2016-4782, CVE-2016-4783

Revision History:

*Revision*

|

*Date*

|

*Description*

---|---|---
1.1 | 5/20/201 | Edited potential impact to all users instead of only users with older Android versions


1.0 | 5/19/2016 | Initial release