OnePlus 3/3T OxygenOS dm-verity Security Bypass

Aleph Research Advisory

Identifier

CVE-2017-5624

Severity

Moderate

Products

OnePlus 3T
OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.3

Technical Details

The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the fastboot oem disable_dm_verity command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.

Timeline

01-Mar-17
: Added as ALEPH-2017002.
08-Feb-17
: Public disclosure.
29-Jan-17
: CVE-2017-5624 assigned.
25-Jan-17
: CVE ID requested.

Posts

Owning OnePlus 3/3T with a Malicious Charger: The Last Piece of the Puzzle
By Roee Hay,
26-Mar 2017
Owning a Locked OnePlus 3/3T: Bootloader Vulns
By Roee Hay,
08-Feb 2017

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

Owning a Locked OnePlus 3/3T: Bootloader Vulnerabilities (securityresear.ch)