The Lenovo VIBE smartphone was found to include vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.
The flaws, Lenovo explains in an advisory, impact only devices that are not protected with a secure lock screen, such as a PIN or a password. By exploiting these issues, a local user or attacker can elevate privileges to the root user and can “modify the device’s operation and functionality in myriad ways.”
A total of three vulnerabilities that can be exploited in conjunction were discovered, but the company says that only devices running versions of Android earlier than 6.0 may be vulnerable to the root exploit.
Tracked as CVE-2017-3748, the first of the three bugs is created by improper access controls on the nac_server component.
The remaining two issues, CVE-2017-3749 and CVE-2017-3750, impact the Idea Friend Android and Lenovo Security Android applications, respectively. Designed to allow “private data to be backed up and restored via Android Debug Bridge,” the apps also allow “tampering leading to privilege escalation.”
The three bugs were found by Mandiant’s Red Team in May 2016 and were reported the same month. In charge of Lenovo’s mobile phone portfolio, Motorola has since corrected the vulnerabilities by redesigning “the affected mechanism to use a more secure process,” Mandiant Red Team’s Jake Valletta explains.
“Allowing backups on privileged applications can also be detrimental and should be disallowed. Just because an application is not running as a privileged Android user ID such as ‘android.uid.system’, does not mean that it cannot introduce vulnerabilities and be used to escalate privileges. Finally, applications should never allow executable code (Java classes, ELF binaries, or shared objects) within backups. This can be limited using a BackupAgent,” Valletta notes.
Because the exploit chain requires local, physical access to a device, it is “very unlikely to see this exploit ‘in the wild’,” the researcher says. However, users are advised to update their devices to the most recent software package their manufacturer has released, as well as to use strong lock screen settings to ensure their devices remain protected.
The complete technical details pertaining to the three vulnerabilities and the manner in which they can be exploited to gain root access are available in Valletta’s blog post.
A total of over 40 Lenovo phone models appear to be impacted by the issue, and the company says that no fix is available for 20 of them (15 other models aren’t impacted, as they have been already updated). Lenovo published a complete list of impacted devices.