CVE-2021-30339

Q: What is the severity of CVE-2021-30339?

CVE-2021-30339 has a CVSS score of 9.0 (CRITICAL). This vulnerability in Qualcomm Snapdragon chipsets allows improper cryptographic key generation due to insufficient buffer validation when reading PRNG output. Attackers could potentially generate weak or predictable keys, compromising security. Affected devices include Snapdragon-based mobile devices, wearables, industrial IoT, and networking equipment.

9.0 CRITICAL

📋 TL;DR

This vulnerability in Qualcomm Snapdragon chipsets allows improper cryptographic key generation due to insufficient buffer validation when reading PRNG output. Attackers could potentially generate weak or predictable keys, compromising security. Affected devices include Snapdragon-based mobile devices, wearables, industrial IoT, and networking equipment.

💻 Affected Systems

Products:

Snapdragon Connectivity
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Wearables
Snapdragon Wired Infrastructure and Networking

Versions: Multiple Snapdragon chipset versions (specific versions detailed in Qualcomm bulletins)

Operating Systems: Android, Embedded Linux, Other Qualcomm-supported OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using vulnerable Snapdragon chipsets regardless of OS configuration. Impact depends on how PRNG is used in specific implementations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cryptographic protections, allowing decryption of sensitive communications, authentication bypass, and data integrity violations across affected devices.

🟠

Likely Case

Generation of weak cryptographic keys leading to potential decryption of some communications or authentication bypass in specific scenarios.

🟢

If Mitigated

Limited impact if strong network segmentation and additional encryption layers are implemented, though underlying vulnerability remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of specific cryptographic implementations and access to affected systems. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm April 2022 security bulletin for specific chipset firmware versions

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided firmware patches. 3. Reboot device. 4. Verify patch installation through device settings or manufacturer tools.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices from critical networks to limit potential attack surface

Additional Encryption Layer

all

Implement application-layer encryption to supplement potentially compromised hardware crypto

🧯 If You Can't Patch

Segment affected devices into isolated network zones with strict access controls
Monitor for unusual cryptographic operations or authentication failures

🔍 How to Verify

Check if Vulnerable:

Check device specifications for affected Snapdragon chipsets and firmware version against Qualcomm bulletins

Check Version:

Device-specific commands vary by manufacturer (e.g., Android: Settings > About Phone > Build Number)

Verify Fix Applied:

Verify firmware version has been updated to post-April 2022 patches from device manufacturer

📡 Detection & Monitoring

Log Indicators:

Repeated cryptographic operation failures
Unexpected key generation events
Authentication anomalies

Network Indicators:

Unusual decryption patterns
Suspicious cryptographic protocol negotiations

SIEM Query:

Search for cryptographic error codes or authentication failures from Snapdragon-based devices

📊 Metadata

CVE ID: CVE-2021-30339

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Published: June 14, 2022

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qca9984 Firmware by Qualcomm

Qcm2290 Firmware by Qualcomm

Qcm4290 Firmware by Qualcomm

Qcm6490 Firmware by Qualcomm

Qcs2290 Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs4290 Firmware by Qualcomm

Qcs6490 Firmware by Qualcomm

Sd 8 Gen1 5g Firmware by Qualcomm

Sd460 Firmware by Qualcomm

Sd480 Firmware by Qualcomm

Sd662 Firmware by Qualcomm

Sd680 Firmware by Qualcomm

Sd690 5g Firmware by Qualcomm

Sd750g Firmware by Qualcomm

Sd765 Firmware by Qualcomm

Sd765g Firmware by Qualcomm

Sd768g Firmware by Qualcomm

Sd778g Firmware by Qualcomm

Sd780g Firmware by Qualcomm

Sd888 5g Firmware by Qualcomm

Sd888 Firmware by Qualcomm

Sdx57m Firmware by Qualcomm

Sdx65 Firmware by Qualcomm

Sm6375 Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Sm7315 Firmware by Qualcomm

Sm7325p Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9375 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3910 Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wcn3991 Firmware by Qualcomm

Wcn3998 Firmware by Qualcomm

Wcn3999 Firmware by Qualcomm

Wcn6740 Firmware by Qualcomm

Wcn6750 Firmware by Qualcomm

Wcn6850 Firmware by Qualcomm

Wcn6851 Firmware by Qualcomm

Wcn6855 Firmware by Qualcomm

Wcn6856 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm