CVE-2017-3742 - OpenCVE

In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems.

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:M/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Google	Android
Microsoft	Windows
Lenovo	Connect2

Configuration 1 [-]

AND

cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-14398	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2017-07-13T00:00:00

Updated: 2017-07-17T18:57:01

Reserved: 2016-12-16T00:00:00

Link: CVE-2017-3742

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-07-17T19:29:00.277

Modified: 2017-07-27T01:30:57.747

Link: CVE-2017-3742

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Lenovo Connect2", "vendor": "Lenovo Group Ltd.", "versions": [{"status": "affected", "version": "Earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android."}]}], "datePublic": "2017-07-13T00:00:00", "descriptions": [{"lang": "en", "value": "In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems."}], "problemTypes": [{"descriptions": [{"description": "Disclosure of ad-hoc wifi network key stored in user-readable location", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-17T18:57:01", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.lenovo.com/us/en/product_security/LEN-14398"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "DATE_PUBLIC": "2017-07-13T00:00:00", "ID": "CVE-2017-3742", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Lenovo Connect2", "version": {"version_data": [{"version_value": "Earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android."}]}}]}, "vendor_name": "Lenovo Group Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Disclosure of ad-hoc wifi network key stored in user-readable location"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/LEN-14398", "refsource": "CONFIRM", "url": "https://support.lenovo.com/us/en/product_security/LEN-14398"}]}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2017-3742", "datePublished": "2017-07-13T00:00:00", "dateReserved": "2016-12-16T00:00:00", "dateUpdated": "2017-07-17T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D397211-B783-40B4-83C7-C01825D6C112", "versionEndIncluding": "4.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D397211-B783-40B4-83C7-C01825D6C112", "versionEndIncluding": "4.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "8255F035-04C8-4158-B301-82101711939C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems."}, {"lang": "es", "value": "En las versiones de Lenovo Connect2 anteriores a 4.2.5.4885 para Windows y versi\u00f3n 4.2.5.3071 para Android, cuando una conexi\u00f3n ad-hoc se realiza entre dos sistemas con el fin de compartir archivos, la contrase\u00f1a de esta conexi\u00f3n ad-hoc ser\u00e1 almacenada en una ubicaci\u00f3n legible por el usuario. Un atacante con acceso de lectura al contenido del usuario podr\u00eda conectarse al punto de acceso Connect2 y visualizar el contenido de los archivos mientras estos son transferidos entre los dos sistemas."}], "id": "CVE-2017-3742", "lastModified": "2017-07-27T01:30:57.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-17T19:29:00.277", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-14398"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}