Vulnerability Description
An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT allow any security-sensitive operation to be run unless the bootloader is unlocked.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oneplus | Oxygenos | <= 4.0.3 |
| Oneplus | Oneplus 3 | - |
| Oneplus | Oneplus 3T | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97048
- https://alephsecurity.com/vulns/aleph-2017005ExploitTechnical DescriptionThird Party Advisory
- http://www.securityfocus.com/bid/97048
- https://alephsecurity.com/vulns/aleph-2017005ExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2017-5623?
CVE-2017-5623 is a vulnerability with a CVSS score of 6.6 (MEDIUM). An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in...
How severe is CVE-2017-5623?
CVE-2017-5623 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5623?
Check the references section above for vendor advisories and patch information. Affected products include: Oneplus Oxygenos, Oneplus Oneplus 3, Oneplus Oneplus 3T.