Lenovo has rolled out multiple patches that apply to multiple devices in the company’s lineup. Devices in question include Android tablets, Vibe and Zuk phones, and the Moto M (XT1663) and Moto E3 (XT1706) model handsets. According to security experts at Kaspersky Lab, the vulnerabilities reach around “tens of millions of vulnerable Lenovo devices.” The Lenovo patches relate to four major vulnerabilities that have all received a “high-risk” classification from Lenovo’s cybersecurity team due to their exposing devices to remote code execution.
The vulnerabilities are all tied to the Lenovo Service Framework (LSF), which is an Android-based application exclusively utilized by Lenovo products. Below is a list of each vulnerability that was patched along with the cause for the exploit:
- The first vulnerability patched, CVE-2017-3758, is defined by Lenovo in their security advisory as being due to “improper access controls on several Android components.”
- CVE-2017-3759, the second patched vulnerability, results from issues arising because the “Lenovo Service Framework Android application accepts some responses from the server without proper validation.” As a result, man-in-the-middle attacks (and subsequently remote code injection attacks) are possible.
- As for the third vulnerability, CVE-2017-3760, Lenovo’s security team states that the “LSF Android application uses a set of non-secure credentials when performing integrity verification of downloaded applications and/or data.” Just like CVE-2017-3759, this opens up Lenovo devices to man-in-the-middle attacks that could lead to remote code injection.
- In the final patched vulnerability, CVE-2017-3761, the LSF application “executes some system commands without proper sanitization of external input.” The result of this is “command injection which, in turn, could lead to remote code execution.”
Users of any of the devices mentioned at the top of this article should apply the Lenovo patches as soon as possible. Even if you are certain that all recent patches have been applied, it never hurts to double-check. The current patched version of the affected devices is version V220.127.116.113. To check which version you are running, go to Settings-->Apps-->Device Service. If you are running the prepatch software, go here to to download the patches.
Photo credit: Wikimedia