14 DAY TRIAL // Lenovo has confirmed that VIBE smartphones are vulnerable to a local root exploit due to three different vulnerabilities, with patches already available for some, but not all of the affected models.
The company explains in an advisory that an attacker with physical access to the device can obtain root privileges if no security system is configured, such as a PIN or password. Once root privileges are obtained, the attacker can “modify the device’s operation and functionality in myriad ways,” the company explains.
Lenovo says that one of the vulnerabilities, namely CVE-2017-374, allows improper access controls on the nac_server component, which can be abused in conjunction with other vulnerabilities, including CVE-2017-3749 and CVE-2017-3750. This allows attackers to gain root access to the device and eventually root it to get full control.
Rooting a device isn’t obviously the end of the world, though some security systems might be impacted, and given the fact that physical access is required in order to hack the device, there’s a good chance that Lenovo customers aren’t very exposed to hacks.
Patches available for some devices
Furthermore, devices that have already been upgraded to Android 6.0 Marshmallow are not affected, and the company says that patches have already been provided for a series of models, which you can check out in the box after the jump.
“Lenovo does not advise end users to root devices as it may adversely affect device security & stability. Users on older Android releases (earlier than Android 6.0 Marshmallow) are advised to take the following actions: 1) If you have enabled the Android Developer Options menu on your device (uncommon), disable ADB when not in use 2) Enable lock screen authentication mechanisms; e.g. PIN/Password protection,” the company explains.
The vulnerabilities were first discovered by Mandiant’s Red Team in May 2016 and they’ve been labeled with a medium severity risk. Users are recommended to update their devices as soon as possible and, if a patch is not available, to apply the workaround mentioned above.