CVE-2017-5948 in OxygenOS
Summary
by MITRE
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades can occur even on locked bootloaders and without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, a physical attacker can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/26/2020
The vulnerability identified as CVE-2017-5948 represents a critical security flaw in OnePlus devices running OxygenOS and HydrogenOS operating systems. This weakness specifically affects OnePlus One, X, 2, 3, and 3T models, creating a pathway for unauthorized system modifications that bypass normal security measures. The vulnerability stems from an overly permissive updater-script implementation within the Over-The-Air update mechanism, which fails to validate whether the target firmware version is actually lower than the currently installed system. This design flaw allows attackers to perform unauthorized downgrades to older firmware versions, effectively reverting devices to previously vulnerable states.
The technical implementation of this vulnerability manifests through the absence of proper version validation within the OTA update process. The updater-script lacks mandatory checks that would normally ensure the target image is not newer than the current system, creating an opportunity for attackers to install older firmware versions regardless of the device's security posture. This flaw is particularly concerning because it operates independently of the bootloader lock status, meaning that even devices with locked bootloaders remain susceptible to exploitation. The vulnerability also eliminates the requirement for factory reset triggers that would normally accompany such system modifications, making the attack more discreet and less detectable by users.
The operational impact of this vulnerability extends beyond simple system modification, as it enables attackers to exploit previously patched security flaws that may contain critical vulnerabilities. When downgrading to older firmware versions, attackers can access user data through known exploits that were subsequently remediated in newer releases. This creates a significant risk for users whose devices may be compromised through the downgrade process, potentially exposing sensitive information and creating persistent security weaknesses. The vulnerability's effectiveness is amplified by its susceptibility to Man-in-the-Middle attacks, as the update transaction occurs without Transport Layer Security protection, as referenced in CVE-2016-10370. This lack of encryption during the update process allows attackers to intercept and manipulate update packages in transit.
Physical access to devices further compounds the threat landscape, as attackers with direct hardware access can exploit the recovery mode functionality. On OnePlus 3 and 3T models, attackers can reboot the device into recovery mode and utilize adb sideload capabilities to install malicious OTA packages, provided that Secure Start-up is disabled. This physical attack vector removes network-based protections entirely and allows for direct system manipulation. The combination of network-based Man-in-the-Middle attacks and physical access creates a comprehensive attack surface that can be exploited by adversaries with varying levels of technical expertise and access privileges. This vulnerability aligns with CWE-284 access control weaknesses and can be mapped to ATT&CK techniques involving privilege escalation and system modification, specifically targeting the device's firmware integrity and update mechanisms. The security implications extend to potential data breaches, persistent backdoors, and the ability to maintain unauthorized access to user information through exploitation of previously patched vulnerabilities.