Back to Blog

LENOVO QUIETLY PATCHES MASSIVE BUG IMPACTING ITS ANDROID TABLETS AND ZUK, VIBE PHONES

October 18, 2017

By: Sikur

lenovo

by 

October 17, 2017 , 9:00 am

Security experts are urging Lenovo customers to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.

On Oct. 5, Lenovo quietly rolled out four patches impacting all of its Android tablets, Vibe and Zuk phones, and the Moto M (XT1663) and Moto E3 (XT1706) model handsets.

According to Imre Rad, an independent security researcher who identified the bugs, the vulnerabilities are tied to the Lenovo Service Framework (LSF), an Android application used by several other Android applications and which is exclusive to Lenovo devices.

According to Lenovo’s description of LSF, it is used to receive push notifications from Lenovo servers such as product promotions for apps, news, notices, surveys and also to facilitate emergency app repairs and upgrades when needed.

However, Rad found that LSF could also be exploited by attackers to facilitate the downloading of code onto devices from an arbitrary server resulting in remote code execution. The four vulnerabilities found by Rad include:

  • CVE-2017-3758 – Improper access controls on several Android components in the LSF application, which can be exploited to enable remote code execution.
  • CVE-2017-3759 – The LSF Android application accepts some responses from the server without proper validation.  This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
  • CVE-2017-3760 – The LSF Android application uses a set of non-secure credentials when performing integrity verification of downloaded applications and/or data.  This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
  • CVE-2017-3761 – The LSF Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection, which, in turn, could lead to remote code execution.

MORE: https://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-android-tablets-and-zuk-vibe-phones/128489/

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

contact@sikur.com

Follow us

Try SIKUR





Contact Us
First Name*
Last Name*
E-mail*
Mobile Number*
Company*
Country*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
Comments
I agree to the Privacy Policy and Terms of Service.