CVE-2017-5554

Name of the Vulnerable Software and Affected Versions OnePlus 3 and 3T OxygenOS versions prior to 4.0.2

Description An issue was discovered in ABOOT that allows an attacker to reboot the device into fastboot mode without authentication. This can be achieved by either physically pressing the "Volume Up" button during device boot or by issuing the adb reboot bootloader command with ADB access. Once in fastboot mode, the attacker can put the platform's SELinux in permissive mode by issuing the fastboot oem selinux permissive command, severely weakening it.

Recommendations For OnePlus 3 and 3T OxygenOS versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the device and limiting ADB access to trusted sources.