Vulnerability Description
On Lenovo VIBE mobile phones, improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as 'rooting' or "jail breaking" a device).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | <= 5.1.1 | |
| Lenovo | Vibe A1600 | - |
| Lenovo | Vibe A2560 | - |
| Lenovo | Vibe A2800 | - |
| Lenovo | Vibe A2860 | - |
| Lenovo | Vibe A2880 | - |
| Lenovo | Vibe A3000 | - |
| Lenovo | Vibe A3500 | - |
| Lenovo | Vibe A3600-D | - |
| Lenovo | Vibe A3600U | - |
| Lenovo | Vibe A3800-D | - |
| Lenovo | Vibe A3900 | - |
| Lenovo | Vibe A6000 | - |
| Lenovo | Vibe A6000-I | - |
| Lenovo | Vibe A6020I37 | - |
| Lenovo | Vibe A6600 | - |
| Lenovo | Vibe A6800 | - |
| Lenovo | Vibe K30-E | - |
| Lenovo | Vibe K30-W-Cu | - |
| Lenovo | Vibe K32C30 | - |
References
- http://www.securityfocus.com/bid/99295Third Party AdvisoryVDB Entry
- https://support.lenovo.com/us/en/product_security/LEN-15823MitigationVendor Advisory
- http://www.securityfocus.com/bid/99295Third Party AdvisoryVDB Entry
- https://support.lenovo.com/us/en/product_security/LEN-15823MitigationVendor Advisory
FAQ
What is CVE-2017-3748?
CVE-2017-3748 is a vulnerability with a CVSS score of 7.8 (HIGH). On Lenovo VIBE mobile phones, improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly kn...
How severe is CVE-2017-3748?
CVE-2017-3748 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-3748?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android, Lenovo Vibe A1600, Lenovo Vibe A2560, Lenovo Vibe A2800, Lenovo Vibe A2860.