PT-2017-3177 · Oneplus · Oxygenos

Roee Hay

Published

2017-03-12

Updated

2019-10-03

CVE-2017-5624

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OxygenOS versions prior to 4.0.3

Description An issue in OxygenOS allows an attacker to persistently disable dm-verity, which is used by the kernel to verify the system partition, by issuing the fastboot oem disable dm verity command. This may allow for persistent code execution and privilege escalation. The vulnerability is related to insufficient access control and can be exploited remotely to gain root privileges and block warnings about system partition replacement.

Recommendations For OxygenOS versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the fastboot oem disable dm verity command to minimize the risk of exploitation.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-269

Related Identifiers

BDU:2017-02593

CVE-2017-5624

Affected Products

Oxygenos

PT-2017-3177 · Oneplus · Oxygenos

CVE-2017-5624

Weakness Enumeration

Related Identifiers

Affected Products

References · 5