OnePlus 3/3T OxygenOS 4F500301 Bootloader Locking Bypass

Aleph Research Advisory

Identifier

CVE-2017-5626

Severity

Critical

Product

OnePlus 3T, OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.2

Technical Details

OxygenOS before version 4.0.2 has two hidden fastboot oem commands: fastboot oem 4F500301/2 which allow the attacker to effectively lock/unlock the bootloader, disregarding the OEM Unlocking checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.

Timeline

01-Mar-17
: Added as
29-Jan-17
: CVE-2017-5626 assigned
08-Feb-17
: Public disclosure
25-Jan-17
: Cve-request

Credit

roeeh of Aleph Research, HCL Software