Lenovo customers are encouraged to update their tablets and smartphones as soon as possible, as a few critical vulnerabilities influenced millions of Lenovo devices were detected.
On October 5th the manufacturer secretly launched four new patches for its Android devices, including all its tablets, Vibe and Zuk phones, and a couple Moto (M and E3) model handsets.
Imre Rad, an independent cybersecurity expert has discovered the bugs in the Lenovo Service Framework (LSF), the app which is used by a few other Android-based apps, exclusively to Lenovo devices.
LSF is applied in order to send notifications to consumers from Lenovo servers. The notifications include product promotions, notices, news, updates, app repairs and others. However, according to the security researcher, LSF also could be used by cybercriminals in order to release the downloading of code.
The vulnerabilities that were detected by I. Rad:
Lenovo reported to ThreatPost:
While some devices were impacted, the issues have been patched and updates are available both automatically and manually as indicated in the Security Advisory.
Lenovo also indicated that all vulnerabilities were taken very seriously and the patches are complete and available. In addition, the company added that no exploited vulnerability in the wild was detected.
The independent security researcher also noted:
Available actions to attackers include changing system settings, executing shell commands or installing additional packages. Malicious actors could abuse the LSF to deploy code components persistently in parts of the flash memory so that the only removal method would be the factory reset.
The researcher discovered that in the case of CVE-2017-3760 vulnerability, the LSF app was found to take out from remote web servers for new network messages. Since the transmission was performed over an HTTP address, RSA private key protected those server replies.
According to I. Rad’s research, “The problem is, the RSA private key that belongs to the public pair that was used for the signature checking, could be found on the internet as part of an example application of a software library”. This could enable the adversary to launch a man-in-the-middle-attack on an unsecured Wi-Fi or GSM network – and easily take the control of the Lenovo device remotely.
These vulnerabilities at Lenovo were detected on May 10th by I. Rad. On May 14th Lenovo was informed about the bugs, and 10 days after confirmed. The coordinated public disclosure occurred on October 5th.