CVE-2017-5624
Last modified
CVE-2017-5624 is a vulnerability of currently unknown severity. An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. EPSS estimates a 2.67% chance of exploitation in the next 30 days.
Description
An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Oneplus | Oxygenos | <= 4.0.2 |
References
- https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/Exploit, Technical Description, Third Party Advisory
- https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/Exploit, Technical Description, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-5624?
How severe is CVE-2017-5624?
How do I fix CVE-2017-5624?
Are you affected by CVE-2017-5624?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST