CVE-2017-5948
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
11/05/2017
Last modified:
20/04/2025
Description
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades can occur even on locked bootloaders and without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, a physical attacker can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off).
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:oneplus:oxygenos:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:oneplus:oneplus_2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:oneplus:oneplus_3:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:oneplus:oneplus_3t:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:oneplus:oneplus_one:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:oneplus:oneplus_x:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page