Vulnerability Description
With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further exploit other vulnerabilities and/or exfiltrate sensitive information.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oneplus | Oxygenos | <= 4.0.2 |
| Oneplus | Oneplus 3 | - |
| Oneplus | Oneplus 3T | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97092
- https://alephsecurity.com/vulns/aleph-2017004Technical DescriptionThird Party Advisory
- http://www.securityfocus.com/bid/97092
- https://alephsecurity.com/vulns/aleph-2017004Technical DescriptionThird Party Advisory
FAQ
What is CVE-2017-5622?
CVE-2017-5622 is a vulnerability with a CVSS score of 5.9 (MEDIUM). With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open u...
How severe is CVE-2017-5622?
CVE-2017-5622 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5622?
Check the references section above for vendor advisories and patch information. Affected products include: Oneplus Oxygenos, Oneplus Oneplus 3, Oneplus Oneplus 3T.