CVE-2017-8850

Name of the Vulnerable Software and Affected Versions OnePlus One version (affected versions not specified) OnePlus X version (affected versions not specified) OnePlus 2 version (affected versions not specified) OnePlus 3 version (affected versions not specified) OnePlus 3T version (affected versions not specified)

Description An issue allows attackers to install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders. This enables exploitation of vulnerabilities patched on one image but not on the other and expands the attack surface. The vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process, as it does not occur over TLS. Physical attackers can also reboot the phone into recovery and use 'adb sideload' to push the OTA, provided 'Secure Start-up' is off on OnePlus 3 and 3T devices.

Recommendations For OnePlus One, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus X, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus 2, update the OTA verification keys and ensure the updater-script is not lenient. For OnePlus 3, update the OTA verification keys, ensure the updater-script is not lenient, and enable 'Secure Start-up' to prevent physical attacks. For OnePlus 3T, update the OTA verification keys, ensure the updater-script is not lenient, and enable 'Secure Start-up' to prevent physical attacks.