Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Trio of Lenovo Vibe vulnerabilities can lead to device rooting

Lenovo Vibe mobile phones running on Lollipop and earlier versions of the Android OS contain three vulnerabilities that allow rooting of the device.

According to a Levono advisory, the first vulnerability, CVE-2017-3748, consists of improper access controls on the nac_server component, which can be abused in combination with the remaining two bugs to elevate privileges to root user.

The other bugs, CVE-2017-3749 and CVE-2017-3750, are found in the Idea Friend Android application and The Lenovo Security Android application, respectively. These vulnerabilities allows users (or attackers with access) to back up and restore private data via Android Debug Bridge (ADB) – a feature that can be abused in conjunction with the other bugs to elevate privileges.

Fifteen Lenovo VIBE models were not impacted at all because they were already upgraded to a newer OS, while 25 affected models have been issued a patch, and 20 have no fix available. Lenovo recommends that users of vulnerable devices enable lock screen authentication mechanisms (such as PIN/password protection), as well as disable ADB if they have enabled the Android Developer Options menu .

Discovery of the bugs is credited to Jake Valletta from Mandiant, a division of FireEye. Valletta describes the vulnerabilities in detail on FireEye's company blog.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.