Remote code execution in Lenovo Service Framework
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-3758 CVE-2017-3759 CVE-2017-3760 CVE-2017-3761 |
| CWE-ID | CWE-284 CWE-300 CWE-77 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Lenovo Service Framework Client/Desktop applications / Other client software |
| Vendor | Lenovo |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU8857
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3758
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target device.
The weakness exists due to improper access controls on several Android components in the LSF application. A remote attacker can gain unauthorized access to the device and execute arbitrary code with elevated privileges.
Update to version 4.8.0.2403.
Vulnerable software versionsLenovo Service Framework: All versions
CPE2.3 External linkshttp://support.lenovo.com/ua/en/product_security/len-15374
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Man-in-the-middle attack
EUVDB-ID: #VU8858
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3759
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct MITM-attack.
The weakness exists due to the LSF application accepts some responses from the server without proper validation. A remote attacker can use man-in-the-middle techniques and possibly execute arbitrary code on the target device.
Update to version 4.8.0.2403.
Vulnerable software versionsLenovo Service Framework: All versions
CPE2.3 External linkshttp://support.lenovo.com/ua/en/product_security/len-15374
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Man-in-the-middle attack
EUVDB-ID: #VU8859
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3760
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct MITM-attack.
The weakness exists due to the LSF application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. A remote attacker can use man-in-the-middle techniques and possibly execute arbitrary code on the target device.
Update to version 4.8.0.2403.
Vulnerable software versionsLenovo Service Framework: All versions
CPE2.3 External linkshttp://support.lenovo.com/ua/en/product_security/len-15374
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Command injection
EUVDB-ID: #VU8860
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3761
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target device.
The weakness exists due to Lenovo Service Framework application executes some system commands without proper sanitization of external input. A remote attacker can inject commands and execute arbitrary code with elevated privileges.
Update to version 4.8.0.2403.
Vulnerable software versionsLenovo Service Framework: All versions
CPE2.3 External linkshttp://support.lenovo.com/ua/en/product_security/len-15374
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
