A Critical Vulnerabilities Discovered in Lenovo Vibe Android Mobiles Phones which leads to Local Privilege Escalation to the Victims device that is not protected with a secure lock screen.
It helps to Escalate the root Access “Jail Breaking” and it leads to change the Device operations and devices Core Functionalities.
This Critical vulnerability Presented in Lenovo products with an Android OS version earlier than Android Marshmallow 6.0 may be vulnerable to the root exploit.
Lenovo Devices that have been upgraded to Marshmallow 6.0 is not Affected.
According to Lenovo, these are the 3 Critical Vulnerabilities, leads to Escalate the Local Privilege.
1. CVE-2017-3748
Improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as ‘rooting’ or “jail breaking” a device).
2. CVE-2017-3749
The Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750
3. CVE-2017-3750
The Lenovo Security Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748
Recommendations for Protect Yourself
Lenovo Highly Recommanded to users ,“Do not Jailbreak” their Smart Phones which cause escalate the Privileges easily.
Users on older Android releases (earlier than Android 6.0 Marshmallow) are advised to take the following actions:
1) If you have enabled the Android Developer Options menu on your device (uncommon), disable ADB when not in use
2) Enable lock screen authentication mechanisms; e.g. PIN/Password protection
3) If updates are available, follow the prompts to install.
Devices not impacted as they have already been upgraded:
A5860
A7010a48
A7020a40
A7020a48
K50-t3s
K50-t5
K51c78
K52e78
P1c58
P1c72
X3a40
X3c50
X3c70
Z90-3
Z90-7
Devices impacted on Android Lollipop that have been patched include:
A2010-a
A2010-l
A2020a40
A2580
A3580
A3690
A3860(t-3)
A3860(ts-3)
A3890
A3910e70
A3910t30
A5600
A5890
A6020a40
A6020a41
A6020a46
A6020i36
A7600
A7600-m
K31-t3-s
K32c36
K52t38
K920
P1ma40
S1La40
Affected products with no fix available:
(refer to the “Mitigation Strategy for Customers” section above)
A1600
A2560
A2800
A2860
A2880
A3000
A3500
A3600-d
A3600u
A3800-d
A3900
A6000
A6000-I
A6600
A6020i37
A6800
K30-E
K30-W-cu
K32c30
