by Tom Spring
October 17, 2017 , 9:00 am
Security experts are urging Lenovo customers to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.
On Oct. 5, Lenovo quietly rolled out four patches impacting all of its Android tablets, Vibe and Zuk phones, and the Moto M (XT1663) and Moto E3 (XT1706) model handsets.
According to Imre Rad, an independent security researcher who identified the bugs, the vulnerabilities are tied to the Lenovo Service Framework (LSF), an Android application used by several other Android applications and which is exclusive to Lenovo devices.
According to Lenovo’s description of LSF, it is used to receive push notifications from Lenovo servers such as product promotions for apps, news, notices, surveys and also to facilitate emergency app repairs and upgrades when needed.
However, Rad found that LSF could also be exploited by attackers to facilitate the downloading of code onto devices from an arbitrary server resulting in remote code execution. The four vulnerabilities found by Rad include:
- CVE-2017-3758 – Improper access controls on several Android components in the LSF application, which can be exploited to enable remote code execution.
- CVE-2017-3759 – The LSF Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
- CVE-2017-3760 – The LSF Android application uses a set of non-secure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
- CVE-2017-3761 – The LSF Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection, which, in turn, could lead to remote code execution.