CVE-2017-3749

On Lenovo VIBE mobile phones, the Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750.

CVSS v3.0 6.4 MEDIUM
CVSS v2.0 6.9 MEDIUM

6.4^/10

CVSS v3.0 : MEDIUM

Vector : AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 0.5 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-15823	Mitigation Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:vibe_a6800:-:::::::*
	cpe:2.3:h:lenovo:vibe_a2880:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3000:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3500:-:::::::*
	cpe:2.3:h:lenovo:vibe_k30-e:-:::::::*
	cpe:2.3:h:lenovo:vibe_k32c30:-:::::::*
	cpe:2.3:h:lenovo:vibe_a6000:-:::::::*
	cpe:2.3:h:lenovo:vibe_a6600:-:::::::*
	cpe:2.3:h:lenovo:vibe_a2800:-:::::::*
	cpe:2.3:h:lenovo:vibe_a2560:-:::::::*
	cpe:2.3:h:lenovo:vibe_k80m:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3900:-:::::::*
	cpe:2.3:h:lenovo:vibe_a1600:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3800-d:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3600-d:-:::::::*
	cpe:2.3:h:lenovo:vibe_a6020i37:-:::::::*
	cpe:2.3:h:lenovo:vibe_a3600u:-:::::::*
	cpe:2.3:h:lenovo:vibe_k30-w-cu:-:::::::*
	cpe:2.3:h:lenovo:vibe_a6000-i:-:::::::*
	cpe:2.3:h:lenovo:vibe_a2860:-:::::::*

Information

Published : 2017-06-29 08:29

Updated : 2019-10-02 17:03

NVD link : CVE-2017-3749

Mitre link : CVE-2017-3749

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

lenovo

vibe_a3900
vibe_k30-e
vibe_a2880
vibe_a3600u
vibe_a1600
vibe_a2560
vibe_k30-w-cu
vibe_k32c30
vibe_a3500
vibe_a3000
vibe_a6600
vibe_k80m
vibe_a2860
vibe_a6800
vibe_a6000-i
vibe_a3600-d
vibe_a3800-d
vibe_a6020i37
vibe_a2800
vibe_a6000

google

android

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-15823", "name": "https://support.lenovo.com/us/en/product_security/LEN-15823", "tags": ["Mitigation", "Vendor Advisory"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "On Lenovo VIBE mobile phones, the Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-3749", "ASSIGNER": "psirt@lenovo.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "MEDIUM", "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}}, "publishedDate": "2017-06-29T15:29Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.1.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a6800:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a2880:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3000:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3500:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_k30-e:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_k32c30:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a6000:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a6600:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a2800:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a2560:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_k80m:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3900:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a1600:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3800-d:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3600-d:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a6020i37:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a3600u:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_k30-w-cu:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a6000-i:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:vibe_a2860:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-10-03T00:03Z"}