CVE-2017-8851

Name of the Vulnerable Software and Affected Versions OnePlus One versions (affected versions not specified) OnePlus X versions (affected versions not specified)

Description An issue allows attackers to install OTAs of one product over the other, even on locked bootloaders, due to a lenient updater-script and shared OTA verification keys. This could lead to the exploitation of patched vulnerabilities and expansion of the attack surface. The device may become unusable until a Factory Reset is performed. The vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process, as it does not occur over TLS. Physical attackers can also reboot the phone into recovery and use 'adb sideload' to push the OTA.

Recommendations For OnePlus One, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For OnePlus X, at the moment, there is no information about a newer version that contains a fix for this vulnerability.