Local Root Exploit on Lenovo VIBE Mobile Phones

2017-06-23T00:00:00
ID LENOVO:PS500116-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-06-23T00:00:00

Description

Lenovo Security Advisory: LEN-15823

Potential Impact: Elevation of Privilege

Severity: Medium

Scope of Impact: Lenovo specific

CVE Identifier: CVE-2017-3748, CVE-2017-3749, CVE-2017-3750

Summary Description:

Vulnerabilities have been identified on Lenovo VIBE Mobile Phones that allow the user or an attacker with physical possession of a device that is not protected with a secure lock screen, e.g. PIN/Password, to elevate privileges to the root user (commonly known as “rooting” or “jailbreaking” a device) with the ability to modify the device’s operation and functionality in myriad ways.

1. CVE-2017-3748 - Improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as ‘rooting’ or “jail breaking” a device).

2. CVE-2017-3749 - The Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750

3. CVE-2017-3750 - The Lenovo Security Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo does not advise end users to root devices as it may adversely affect device security & stability.

Users on older Android releases (earlier than Android 6.0 Marshmallow) are advised to take the following actions:

1) If you have enabled the Android Developer Options menu on your device (uncommon), disable ADB when not in use

2) Enable lock screen authentication mechanisms; e.g. PIN/Password protection