Sign-up

ID

VAR-201706-0359


CVE

CVE-2017-3749


TITLE

Lenovo VIBE cell phone's Idea Friend Android Vulnerabilities related to authorization, authority, and access control in applications

Trust: 0.8

sources: JVNDB: JVNDB-2017-005176

DESCRIPTION

On Lenovo VIBE mobile phones, the Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750. Lenovo VIBE cell phone's Idea Friend Android Applications have vulnerabilities related to authorization, permissions, and access control.CVE-2017-3748 and CVE-2017-3750 Information is obtained, information is tampered with, and service operation is disrupted by exploiting it together with vulnerabilities (DoS) There is a possibility of being put into a state. Android6.0Marshmallow is a Linux-based open source operating system jointly developed by Google and the Open Handheld Device Alliance (OHA). LenovoA2010-a, etc. are all Lenovo's smartphone products using the Android6.0 Marshmallow operating system. A privilege escalation vulnerability exists in several LenovoVIBE phones using versions prior to Android6.0 Marshmallow, which stems from the IdeaFriendAndroid app allowing backup and storage of private data via AndroidDebugBridge. An attacker could exploit the vulnerability to gain elevated privileges

Trust: 2.25

sources: NVD: CVE-2017-3749 // JVNDB: JVNDB-2017-005176 // CNVD: CNVD-2017-14023 // VULMON: CVE-2017-3749

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-14023

AFFECTED PRODUCTS

vendor:googlemodel:androidscope:lteversion:5.1.1

Trust: 1.0

vendor:googlemodel:androidscope: - version: -

Trust: 0.8

vendor:googlemodel:androidscope:lteversion:<=5.1.1

Trust: 0.6

vendor:lenovomodel:vibe a1600scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a2560scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a2800scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a2860scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a2880scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3000scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3500scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3600-dscope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3600uscope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3800-dscope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a3900scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a6000scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a6000-iscope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a6020i37scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a6600scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe a6800scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe k30-escope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe k30-w-cuscope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe k32c30scope: - version: -

Trust: 0.6

vendor:lenovomodel:vibe k80mscope: - version: -

Trust: 0.6

vendor:googlemodel:androidscope:eqversion:5.1.1

Trust: 0.6

sources: CNVD: CNVD-2017-14023 // JVNDB: JVNDB-2017-005176 // CNNVD: CNNVD-201706-1220 // NVD: CVE-2017-3749

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3749
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3749
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-14023
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-1220
value: MEDIUM

Trust: 0.6

VULMON: CVE-2017-3749
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3749
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-14023
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-3749
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.5
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-14023 // VULMON: CVE-2017-3749 // JVNDB: JVNDB-2017-005176 // CNNVD: CNNVD-201706-1220 // NVD: CVE-2017-3749

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2017-005176 // NVD: CVE-2017-3749

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201706-1220

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201706-1220

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-005176

PATCH
title:トップページurl:https://www.android.com/intl/ja_jp/phones/
Trust: 0.8
title:VIBE Seriesurl:http://www3.lenovo.com/in/en/smartphones/smartphone-vibe-series/c/smartphone-vibe-series
Trust: 0.8
title:Patches for several LenovoVIBE phone privilege escalation vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/97880
Trust: 0.6
title:Multiple Lenovo VIBE Fixes for mobile rights permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71358
Trust: 0.6
title:Fireeye Threat Researchurl:https://www.fireeye.com/blog/threat-research/2017/05/gaining-root-on-lenovo-vibe.html
Trust: 0.2
sources:
            
            
            CNVD: CNVD-2017-14023 // 
            
            
            
            VULMON: CVE-2017-3749 // 
            
            
            
            JVNDB: JVNDB-2017-005176 // 
            
            
            
            CNNVD: CNNVD-201706-1220

EXTERNAL IDS
db:NVDid:CVE-2017-3749
Trust: 3.1
db:LENOVOid:LEN-15823
Trust: 2.3
db:JVNDBid:JVNDB-2017-005176
Trust: 0.8
db:CNVDid:CNVD-2017-14023
Trust: 0.6
db:CNNVDid:CNNVD-201706-1220
Trust: 0.6
db:VULMONid:CVE-2017-3749
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-14023 // 
            
            
            
            VULMON: CVE-2017-3749 // 
            
            
            
            JVNDB: JVNDB-2017-005176 // 
            
            
            
            CNNVD: CNNVD-201706-1220 // 
            
            
            
            NVD: CVE-2017-3749

REFERENCES
url:https://support.lenovo.com/us/en/product_security/len-15823
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3749
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3749
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.fireeye.com/blog/threat-research/2017/05/gaining-root-on-lenovo-vibe.html
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-14023 // 
            
            
            
            VULMON: CVE-2017-3749 // 
            
            
            
            JVNDB: JVNDB-2017-005176 // 
            
            
            
            CNNVD: CNNVD-201706-1220 // 
            
            
            
            NVD: CVE-2017-3749

SOURCES
db:CNVDid:CNVD-2017-14023
db:VULMONid:CVE-2017-3749
db:JVNDBid:JVNDB-2017-005176
db:CNNVDid:CNNVD-201706-1220
db:NVDid:CVE-2017-3749

LAST UPDATE DATE
2025-04-20T23:29:41.160000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-14023date:2017-07-12T00:00:00
db:VULMONid:CVE-2017-3749date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-005176date:2017-07-20T00:00:00
db:CNNVDid:CNNVD-201706-1220date:2019-10-23T00:00:00
db:NVDid:CVE-2017-3749date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-14023date:2017-07-12T00:00:00
db:VULMONid:CVE-2017-3749date:2017-06-29T00:00:00
db:JVNDBid:JVNDB-2017-005176date:2017-07-20T00:00:00
db:CNNVDid:CNNVD-201706-1220date:2017-06-30T00:00:00
db:NVDid:CVE-2017-3749date:2017-06-29T15:29:00.237