Vulnerability Details CVE-2017-5624
An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.02
EPSS Ranking 82.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
References
Products affected by CVE-2017-5624
-
cpe:2.3:h:oneplus:oneplus_3:-
-
cpe:2.3:h:oneplus:oneplus_3t:-
-
cpe:2.3:o:oneplus:oxygenos:3.2.8
-
cpe:2.3:o:oneplus:oxygenos:3.5.4
-
cpe:2.3:o:oneplus:oxygenos:4.0.2