Vulnerability Description
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades can occur even on locked bootloaders and without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, a physical attacker can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oneplus | Oxygenos | All versions |
| Oneplus | Oneplus 2 | - |
| Oneplus | Oneplus 3 | - |
| Oneplus | Oneplus 3T | - |
| Oneplus | Oneplus One | - |
| Oneplus | Oneplus X | - |
Related Weaknesses (CWE)
References
- https://alephsecurity.com/vulns/aleph-2017008ExploitTechnical DescriptionThird Party Advisory
- https://alephsecurity.com/vulns/aleph-2017008ExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2017-5948?
CVE-2017-5948 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that...
How severe is CVE-2017-5948?
CVE-2017-5948 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5948?
Check the references section above for vendor advisories and patch information. Affected products include: Oneplus Oxygenos, Oneplus Oneplus 2, Oneplus Oneplus 3, Oneplus Oneplus 3T, Oneplus Oneplus One.