Assessment
CFSE Consequence Paths assesses SideQuest deep-link one-click RCE on Oculus Quest sideloading platform (CVE-2024-21625) at CRITICAL — the worst of 2 risk paths (perception, authority). The dominant consequence is manipulated perception that drives action.
Vulnerability
SideQuest deep-link one-click RCE on Oculus Quest sideloading platform (CVE-2024-21625). Reported attack vector: NETWORK (one-click, requires user interaction).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
PERCEPTION_TO_ACTION → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:4/EC:3/EX:3/PH:2/DP:4/AT:3/CH:4/SR:4/SX:3/OR:2/EV:1/LS:PATCH_AVAILABLE
Exposure EX=3 (execution complexity-bound) · bands PH=HIGH · DP=CRITICAL · AT=CRITICAL → base CRITICAL → assessed CRITICAL.
Same internet-reachable one-click entry (RE:4). Post-RCE pivot uses SideQuest’s brokered ADB to push arbitrary APKs to the connected headset - standard researcher workflow once code-exec is held, with the extra step requiring a connected device (EC:3). Installing attacker code on the headset is service/command-level authority over the device’s installed software (AT:3). A malicious sideloaded VR app can read headset sensor/camera/spatial/account state and manipulate the immersive display, i.e. control the user’s perceived AR reality (DP:4, perception_feeds_action:true). No direct dangerous actuator or therapy; harm is disorientation/manipulated immersive environment rather than credible injury (PH:2). Web->desktop->device->perception boundary chain and reusable cross-domain bridge (CH:4, boundary_crossing:true). Single mass-distributable payload pushing the same APK = reuse across many setups (SR:4), gated by per-victim connected-headset click (SX:3). Recovered by app patch plus removing the pushed app, no signing-root rotation (OR:2). Headset-pivot step is modelled/inferred from the brokering capability rather than reproduced in the report (EV:1).
ACCOUNT_AUTHORITY → CRITICAL
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:4/EX:4/PH:2/DP:3/AT:2/CH:4/SR:4/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=CRITICAL → base CRITICAL → assessed CRITICAL.
Internet-reachable malicious sidequest:// link (RE:4); single crafted link, one click, commodity Electron deep-link abuse (EC:4). Yields arbitrary code execution at the PC user’s privilege inside the SideQuest process - bounded user-level host/account authority, not root-of-trust or admin (AT:2). Arbitrary code can read PC user data and SideQuest-stored credentials/tokens (DP:3). Crosses web->desktop-app boundary and is a reusable bridge to ADB/headset control, so high chainability and boundary crossing (CH:4). One payload mass-distributable via phishing/forum posts to VR communities = deployment-wide reuse of a single artifact (SR:4), but still requires victim click with SideQuest running so not zero-touch fleet remote (SX:3). Patchable by app update, no fleet/key rotation (OR:2). Report-backed CVE (EV:2).
Published baseline
- v3.1 8.8 HIGH —
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — GitHub Advisory via NVD / NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources