Lenovo Security Advisory: LEN-22172
**Potential Impact:**Root access of the device
Severity: Medium
Scope of Impact: Lenovo Smart Assistant
CVE Identifier: CVE-2018-9070
Summary Description:
Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo. An attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo has updated the firmware automatically to version 12.1.82 through the usual OTA process (Over The Air). You can use the Lenovo Link App to confirm you have this version or later. In the appβs menu under βSettings,β the version is displayed as βFirmware automatic upgrade v12.1.82.β
Acknowledgement:
Lenovo thanks Wen Guanxing from Pangu Lab for reporting this issue.
For a complete list of all Lenovo Product Security Advisories, click here.
Revision History:
Revision
|
Date
|
Description
β|β|β
1
|
2018-07-12
|
Initial release.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.