CVE-2016-10370
Summary
| CVE | CVE-2016-10370 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-05-11 18:29:00 UTC |
| Updated | 2017-05-23 01:29:00 UTC |
| Description | An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as CVE-2017-5948, CVE-2017-8850, and CVE-2017-8851. |
Risk And Classification
Problem Types: CWE-284
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Oneplus | Oneplus 3t | - | All | All | All |
| Hardware | Oneplus | Oneplus 3t | - | All | All | All |
| Operating System | Oneplus | Oxygenos | All | All | All | All |
| Operating System | Oneplus | Oxygenos | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Multiple OnePlus Products CVE-2016-10370 Man in the Middle Security Bypass Vulnerability | BID | www.securityfocus.com | |
| OTA and IMEI over HTTP - OnePlus Forums | MISC | forums.oneplus.net | Vendor Advisory |
| [CVE-2016-10370] OnePlus OTA Lack of TLS Vulnerability | MISC | alephsecurity.com | Exploit, Technical Description, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.