Roee Hay

**Name of the Vulnerable Software and Affected Versions** Android SQLite Journal versions prior to 4.0.1 **Description** The issue is an information disclosure vulnerability. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OnePlus devices versions OxygenOS 5.0 and earlier **Description** An issue allows an attacker to reboot the device into the Qualcomm Emergency Download (EDL) mode, potentially enabling the downgrading of partitions such as the Android Bootloader. This can be achieved through ADB or by using the Volume-Up button when connected to USB. **Recommendations** For OxygenOS 5.0 and earlier, consider restricting access to ADB and physical interactions with the device, such as limiting the use of the Volume-Up button when connected to USB, until a patch is available. As a temporary workaround, restrict physical access to the device to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyScript SDK versions prior to 1.3 for Android **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This is due to the class improperly passing an attacker-controlled pointer to a native function. **Recommendations** For MyScript SDK versions prior to 1.3 for Android, update to version 1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GraceNote GNSDK SDK versions prior to SVN Changeset 1.1.7 **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This method improperly passes an attacker-controlled pointer to a native function. **Recommendations** For versions prior to SVN Changeset 1.1.7, update to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PJSUA2 SDK versions prior to SVN Changeset 51322 for Android **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This method improperly passes an attacker-controlled pointer to a native function, potentially leading to code execution. **Recommendations** For versions prior to SVN Changeset 51322, update to a version that includes the fix for this issue to prevent potential code execution attacks.

**Name of the Vulnerable Software and Affected Versions** ESRI ArcGis Runtime SDK versions prior to 10.2.6-2 for Android **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This is due to the improper passing of an attacker-controlled pointer to a native function. **Recommendations** For versions prior to 10.2.6-2, update to version 10.2.6-2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MetaIO SDK versions prior to 6.0.2.1 **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This is due to the class improperly passing an attacker-controlled pointer to a native function. **Recommendations** For versions prior to 6.0.2.1, update to version 6.0.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jumio SDK versions prior to 1.5.0 for Android **Description** The issue allows attackers to execute arbitrary code by leveraging a finalize method in a Serializable class. This is done by improperly passing an attacker-controlled pointer to a native function. **Recommendations** For versions prior to 1.5.0, update to version 1.5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OnePlus 2 Primary Bootloader (PBL) (affected versions not specified) **Description** The issue is related to insufficient validation of the SBL1 partition by the Primary Bootloader, which contains a certificate. This allows attackers with write access to the SBL1 partition to disable signature validation, potentially leading to unauthorized execution of code. The vulnerability is associated with inadequate access control and certificate checking by the bootloader. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions prior to 3.10 Android Kernel-3.10 **Description** The issue is related to a debugger in the Linux kernel's FIQ, which has inadequate access control. This could allow a remote attacker to elevate privileges and execute arbitrary code within the kernel context using a local malicious application. The problem is considered serious due to the potential for local permanent device compromise, which might necessitate reflashing the operating system to repair the device. **Recommendations** For Linux Kernel versions prior to 3.10: Update to a version that includes the necessary security patches to fix the access control issues in the kernel's FIQ debugger. For Android Kernel-3.10: Consider applying security patches or updates provided by the device manufacturer to address the elevation of privilege vulnerability in the kernel FIQ debugger.

**Name of the Vulnerable Software and Affected Versions** Linux (affected versions not specified) **Description** The issue is caused by a missing bounds check in the Linux kernel, specifically in the drivers/char/lp.c file. This allows an adversary with partial control over the kernel command line, potentially due to bootloader vulnerabilities, to overflow the parport nr array by appending multiple 'lp=none' arguments. The vulnerability can be exploited to cause a denial of service. **Recommendations** For Linux, consider disabling the `lp setup()` function as a temporary workaround until a patch is available. Restrict access to the `parport nr` array to minimize the risk of exploitation. Avoid using the `lp=none` argument in the kernel command line until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android versions Kernel-3.10, Kernel-3.18 **Description** The issue is related to an elevation of privilege vulnerability in the Motorola bootloader, which could allow a local malicious application to execute arbitrary code within the context of the bootloader. This may lead to a local permanent device compromise, requiring reflashing the operating system to repair the device. The vulnerability is also described as being related to insufficient access control in the Motorola bootloader, potentially allowing an attacker to execute arbitrary code. **Recommendations** For Android versions Kernel-3.10, Kernel-3.18, consider restricting access to the bootloader until a patch is available. As a temporary workaround, avoid using the vulnerable bootloader functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OnePlus One versions (affected versions not specified) OnePlus X versions (affected versions not specified) **Description** An issue allows attackers to install OTAs of one product over the other, even on locked bootloaders, due to a lenient updater-script and shared OTA verification keys. This could lead to the exploitation of patched vulnerabilities and expansion of the attack surface. The device may become unusable until a Factory Reset is performed. The vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process, as it does not occur over TLS. Physical attackers can also reboot the phone into recovery and use 'adb sideload' to push the OTA. **Recommendations** For OnePlus One, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For OnePlus X, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OnePlus devices (One, X, 2, 3, and 3T) running OxygenOS and HydrogenOS (affected versions not specified) **Description** The issue allows for downgrade attacks due to a lenient 'updater-script' in OTAs that does not check the current version against the given image's version. This enables downgrades to occur even on locked bootloaders and without triggering a factory reset, potentially exploiting now-patched vulnerabilities and accessing user data. The vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process, as the update transaction does not occur over TLS. Additionally, a physical attacker can reboot the phone into recovery and use 'adb sideload' to push the OTA, provided 'Secure Start-up' is off on OnePlus 3/3T devices. **Recommendations** For OnePlus One, X, 2, 3, and 3T devices running OxygenOS and HydrogenOS, consider disabling the OTA update feature until a patch is available to prevent potential downgrade attacks. Restrict physical access to the devices to minimize the risk of exploitation by a physical attacker. Avoid using public or unsecured networks for updating the devices to reduce the risk of Man-in-the-Middle attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OnePlus One version (affected versions not specified) OnePlus X version (affected versions not specified) OnePlus 2 version (affected versions not specified) OnePlus 3 version (affected versions not specified) OnePlus 3T version (affected versions not specified) **Description** An issue allows attackers to install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders. This enables exploitation of vulnerabilities patched on one image but not on the other and expands the attack surface. The vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process, as it does not occur over TLS. Physical attackers can also reboot the phone into recovery and use 'adb sideload' to push the OTA, provided 'Secure Start-up' is off on OnePlus 3 and 3T devices. **Recommendations** For OnePlus One, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus X, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus 2, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus 3, update the OTA verification keys, ensure the updater-script is not lenient, and enable 'Secure Start-up' to prevent physical attacks. For OnePlus 3T, update the OTA verification keys, ensure the updater-script is not lenient, and enable 'Secure Start-up' to prevent physical attacks.

**Name of the Vulnerable Software and Affected Versions** OxygenOS versions prior to 4.0.3 **Description** The issue allows an unauthorized attacker to partially dump the ciphertext content of an arbitrary partition, except 'keystore', by using the 'fastboot oem dump <partition>' command. This affects OnePlus 3 and 3T devices. **Recommendations** For OxygenOS versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android versions Kernel-3.10 **Description** The issue is related to an elevation of privilege vulnerability in the HTC OEM fastboot command, which could allow a local malicious application to execute arbitrary code within the context of the sensor hub. This vulnerability is rated as Moderate because it first requires exploitation of separate vulnerabilities. **Recommendations** For Android versions Kernel-3.10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OnePlus 3 and 3T versions prior to 4.0.3 **Description** The issue allows a malicious charger or a physical attacker to open an ADB session with the device without authorization when a charger is connected to a powered-off device. This can be used to further exploit other vulnerabilities and/or exfiltrate sensitive information. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider disabling ADB when the device is powered off to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OxygenOS versions prior to 4.1.0 **Description** An issue was discovered that allows an attacker to change the boot mode of the device by issuing a specific command, contradicting the Android threat model where the bootloader should not allow security-sensitive operations unless it is unlocked. **Recommendations** For OxygenOS versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the fastboot command to minimize the risk of exploitation. Avoid using the `fastboot oem boot mode` command with parameters such as `{rf/wlan/ftm/normal}` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OxygenOS versions prior to 4.0.3 **Description** An issue in OxygenOS allows an attacker to persistently disable dm-verity, which is used by the kernel to verify the system partition, by issuing the `fastboot oem disable dm verity` command. This may allow for persistent code execution and privilege escalation. The vulnerability is related to insufficient access control and can be exploited remotely to gain root privileges and block warnings about system partition replacement. **Recommendations** For OxygenOS versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fastboot oem disable dm verity` command to minimize the risk of exploitation.