CVE-2017-5626 - OpenCVE

OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oneplus	Oneplus 3 Oneplus 3t Oxygenos

Configuration 1 [-]

AND

cpe:2.3:o:oneplus:oxygenos:*:*:*:*:*:*:*:*

cpe:2.3:h:oneplus:oneplus_3:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:oneplus:oxygenos:*:*:*:*:*:*:*:*

cpe:2.3:h:oneplus:oneplus_3t:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-12T04:57:00

Updated: 2024-08-05T15:04:15.338Z

Reserved: 2017-01-29T00:00:00

Link: CVE-2017-5626

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-03-12T05:59:00.197

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-5626

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-11T00:00:00", "descriptions": [{"lang": "en", "value": "OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-12T04:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-5626", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/", "refsource": "MISC", "url": "https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:04:15.338Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-5626", "datePublished": "2017-03-12T04:57:00", "dateReserved": "2017-01-29T00:00:00", "dateUpdated": "2024-08-05T15:04:15.338Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oneplus:oxygenos:*:*:*:*:*:*:*:*", "matchCriteriaId": "343FD4D5-58CE-484E-B8E5-F3C2B15EF6F7", "versionEndIncluding": "3.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oneplus:oneplus_3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E6B1891E-38B0-42C5-89D3-3DC12217F087", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oneplus:oxygenos:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AB7D4A5-3FB2-4097-98D9-222FF350F10F", "versionEndIncluding": "3.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oneplus:oneplus_3t:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C7E02CB-9EAC-4BFD-8CCC-337610E1CCEE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data."}, {"lang": "es", "value": "OxygenOS en versiones anteriores a versi\u00f3n 4.0.2, en OnePlus 3 y 3T, tiene dos comandos oem ocultos de arranque r\u00e1pido (4F500301 y 4F500302) que permiten al atacante bloquear/desbloquear el gestor de arranque, ignorando la casilla de verificaci\u00f3n 'OEM Unlocking', sin confirmaci\u00f3n del usuario y sin un restablecimiento de f\u00e1brica. Esto permite la ejecuci\u00f3n de c\u00f3digo persistente con privilegios altos (kernel/root) con acceso completo a los datos del usuario."}], "id": "CVE-2017-5626", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-12T05:59:00.197", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}