Three vulnerabilities have been found on Lenovo Vibe mobile phones running on Lollipop and earlier versions of the Android OS that allow rooting of the device.
According to a Levono advisory, the first vulnerability, CVE-2017-3748, consists of improper access controls on the nac_server component, which can be abused in combination with the remaining two bugs to elevate privileges to root user. The other bugs, CVE-2017-3749 and CVE-2017-3750, are found in the Idea Friend Android application and The Lenovo Security Android application, respectively. These vulnerabilities allow users (or attackers with access) to back up and restore private data via Android Debug Bridge (ADB)—a feature that can be abused in conjunction with the other bugs to elevate privileges.
The saving grace is that these vulnerabilities can only be exploited by an attacker with physical access to the device. And, it must be one not protected with a secure lock screen, e.g. PIN/password. However, the issue brings up once again the dangers involved in running out-of-date OS (Lollipop was two versions ago).
“This is a minimal risk for users compared with the risk from running an OS that is two major versions out of date,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT). “When buying an Android device, it is important to verify that the vendor is committed to supporting the device with monthly security updates and ideally at least one major OS update. Buying a phone made by Google (i.e. Pixel phone) is the best way to guarantee access to new software, including security updates.”