Lenovo Vibe mobile phones running on Lollipop and earlier versions of the Android OS contain three vulnerabilities that allow rooting of the device.
According to a Levono advisory, the first vulnerability, CVE-2017-3748, consists of improper access controls on the nac_server component, which can be abused in combination with the remaining two bugs to elevate privileges to root user.
The other bugs, CVE-2017-3749 and CVE-2017-3750, are found in the Idea Friend Android application and The Lenovo Security Android application, respectively. These vulnerabilities allows users (or attackers with access) to back up and restore private data via Android Debug Bridge (ADB) – a feature that can be abused in conjunction with the other bugs to elevate privileges.
Fifteen Lenovo VIBE models were not impacted at all because they were already upgraded to a newer OS, while 25 affected models have been issued a patch, and 20 have no fix available. Lenovo recommends that users of vulnerable devices enable lock screen authentication mechanisms (such as PIN/password protection), as well as disable ADB if they have enabled the Android Developer Options menu .
Discovery of the bugs is credited to Jake Valletta from Mandiant, a division of FireEye. Valletta describes the vulnerabilities in detail on FireEye's company blog.