Serious flaws in all Lenovo's Android tablets and a number of mobile phones made by the company have been patched after an independent researcher notified the company about the vulnerabilities.
The flaws also affected all Lenovo VIBE and ZUK devices, and the Moto M (XT1663) and Moto E3 (XT1706) distributed by Lenovo, according to independent researcher Imre Rad.
He told iTWire that the flaws were tied to the Lenovo Service Framework, a privileged system component on Lenovo devices, which provides services to other Lenovo applications.
"They include changing system settings, executing commands (in context and privileges of LSF), downloading and installing new application packages (APKs) and reporting events," Rad said.
He said he had also seen some advertisement-related features, but did not analyse them as he had never seen them in use."The same set of services were also exposed to Lenovo via a polling mechanism: LSF periodically calls home to the Lenovo servers over the network and queries tasks to do. When the Lenovo server dispatches some orders, LSF executes them," he explained.
Rad had praise for the way Lenovo reacted when he informed the company about the flaws. "I reached out to the mobile department of Lenovo through the PSIRT team. The vendor was responsible and the communication was professional. My report contained proof of concept code snippets, so that could reproduce the issues easily. The report was confirmed on May 24," he said.
He was asked to re-evaluate the fixed version of the application before publishing them. "I usually do, but this time unfortunately I didn't have time to verify it in the past few weeks either."
He said he had been using a Lenovo mobile phone recently, and also had a Lenovo tablet, but other than that, there was no particular reason why he researched Lenovo products.
"The story actually began with another Android application — which someone on a mailing list suspected was doing something fishy — and while analysing my network traffic I spotted the requests sent by LSF. I had the gut feeling it worth spending some time understanding what's going on there," he said.
As indeed it was. The following are the four issues that Rad spotted:
CVE-2017-3758: is about the lack of authorisation of the incoming service calls: LSF could be invoked by any Android applications on the device. Malicious applications could exploit this flaw to hide a backdoor which cannot be easily removed by the owner.
CVE-2017-3759 & CVE-2017-3760: These two are tied to the polling feature. Even though the transport channel is clear text HTTP, the message payload was integrity protected. LSF supported multiple mechanisms for verifying the integrity of the message, and I identified two ways to circumvent it. One of the algorithms was not a cryptographical one and thus could be calculated by anyone. The other flaw is about the RSA public key for which the corresponding private could be found on the internet as part of an example application.
CVE-2017-3761: Some functionality of LSF required executing OS-level commands, which was done by concatenating strings together without proper sanitisation first. This is a classical command injection vulnerability, so it is just another approach to achieve arbitrary command execution in the context of LSF.
Timeline of the vulnerability disclosure process:
10-13 May: Discovered the vulnerabilities, proof-of-concept exploit created.
14 May: Initial contact with Lenovo PSIRT.
15 May: Disclosed the vulnerability to Lenovo Mobility Business group.
24 May: Lenovo confirmed the vulnerabilities; deadline of public disclosure was negotiated.
20 September: CVE IDs assigned and disclosed (to me).
5 October: Lenovo released patched version of the affected system application along with a press release.
Source: Lenovo flaws affect all Android tablets, some phones
No comments:
Post a Comment