OnePlus 3/3T OxygenOS dm-verity Security Bypass

Aleph Research Advisory

Identifier

CVE-2017-5624

Severity

Moderate

Product

OnePlus 3T, OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.3

Technical Details

The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the fastboot oem disable_dm_verity command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.

Timeline

01-Mar-17
: Added as
29-Jan-17
: CVE-2017-5624 assigned
08-Feb-17
: Public disclosure
25-Jan-17
: Cve-request

Credit

roeeh of Aleph Research, HCL Software