CVE-2021-30332

Q: What is the severity of CVE-2021-30332?

CVE-2021-30332 has a CVSS score of 7.5 (HIGH). This vulnerability in Qualcomm Snapdragon chipsets allows attackers to trigger a denial-of-service condition via improper validation of Over-The-Air (OTA) configuration data. It affects devices using vulnerable Snapdragon Auto, Compute, Connectivity, Industrial IoT, and Mobile platforms. Successful exploitation could cause system crashes or instability.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Qualcomm Snapdragon chipsets allows attackers to trigger a denial-of-service condition via improper validation of Over-The-Air (OTA) configuration data. It affects devices using vulnerable Snapdragon Auto, Compute, Connectivity, Industrial IoT, and Mobile platforms. Successful exploitation could cause system crashes or instability.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Industrial IOT
Snapdragon Mobile

Versions: Specific chipset versions as listed in Qualcomm March 2022 bulletin

Operating Systems: Android, Linux-based automotive/industrial systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using vulnerable Qualcomm chipsets; exact device models depend on manufacturer implementation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

System crash or reboot leading to denial-of-service, potentially disrupting critical operations in automotive, industrial, or mobile devices.

🟠

Likely Case

Local denial-of-service causing temporary device instability or reboot, requiring physical or local access to trigger.

🟢

If Mitigated

Minimal impact with proper access controls preventing unauthorized OTA configuration attempts.

🌐 Internet-Facing: LOW - Requires local access or compromised OTA update mechanism; not directly exploitable over internet.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or compromised internal systems with OTA update capabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to send malicious OTA configuration data; likely requires some level of system access or compromised update mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm March 2022 security bulletin for specific chipset fixes

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/march-2022-bulletin

Restart Required: Yes

Instructions:

1. Check Qualcomm advisory for affected chipset versions. 2. Obtain firmware updates from device manufacturer. 3. Apply manufacturer-provided patches. 4. Reboot device to complete installation.

🔧 Temporary Workarounds

Restrict OTA Update Sources

all

Limit OTA configuration updates to trusted, authenticated sources only

Disable Unnecessary OTA Services

all

Turn off OTA update capabilities if not required for device operation

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized OTA configuration attempts
Monitor for unusual OTA update activity and system crashes

🔍 How to Verify

Check if Vulnerable:

Check device chipset version against Qualcomm's affected list in March 2022 bulletin

Check Version:

Device-specific commands vary by manufacturer; typically 'getprop' on Android or manufacturer diagnostic tools

Verify Fix Applied:

Verify firmware version has been updated to patched version from manufacturer

📡 Detection & Monitoring

Log Indicators:

Unexpected system crashes/reboots
OTA configuration failures
Assertion failures in system logs

Network Indicators:

Unusual OTA update traffic from untrusted sources

SIEM Query:

Search for: (event_category:system_crash OR event_category:reboot) AND (process_name:ota_service OR component:qualcomm)

📊 Metadata

CVE ID: CVE-2021-30332

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/march-2022-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/march-2022-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Qca6390 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qcm6490 Firmware by Qualcomm

Qcs6490 Firmware by Qualcomm

Qcx315 Firmware by Qualcomm

Sa515m Firmware by Qualcomm

Sd 8 Gen1 5g Firmware by Qualcomm

Sd480 Firmware by Qualcomm

Sd690 5g Firmware by Qualcomm

Sd750g Firmware by Qualcomm

Sd765 Firmware by Qualcomm

Sd765g Firmware by Qualcomm

Sd768g Firmware by Qualcomm

Sd778g Firmware by Qualcomm

Sd780g Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sd870 Firmware by Qualcomm

Sd888 5g Firmware by Qualcomm

Sd888 Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sdx55m Firmware by Qualcomm

Sdx65 Firmware by Qualcomm

Sdxr2 5g Firmware by Qualcomm

Sm6375 Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Sm7315 Firmware by Qualcomm

Sm7325p Firmware by Qualcomm

Wcd9341 Firmware by Qualcomm

Wcd9360 Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9375 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wcn3991 Firmware by Qualcomm

Wcn3998 Firmware by Qualcomm

Wcn6740 Firmware by Qualcomm

Wcn6750 Firmware by Qualcomm

Wcn6850 Firmware by Qualcomm

Wcn6851 Firmware by Qualcomm

Wcn6855 Firmware by Qualcomm

Wcn6856 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm