CVE-2021-38789 – CVE-2021-38789 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2021-38789?

CVE-2021-38789 has a CVSS score of 7.5 (HIGH). CVE-2021-38789 is an incorrect access control vulnerability in Allwinner R818 SoC Android Q SDK V1.0 where the aw_display service fails to verify caller permissions. This allows third-party Android apps to modify system settings without authorization. Devices using this specific SoC and SDK version are affected.

📋 TL;DR

CVE-2021-38789 is an incorrect access control vulnerability in Allwinner R818 SoC Android Q SDK V1.0 where the aw_display service fails to verify caller permissions. This allows third-party Android apps to modify system settings without authorization. Devices using this specific SoC and SDK version are affected.

💻 Affected Systems

Products:

Allwinner R818 SoC devices running Android Q

Versions: Android Q SDK V1.0

Operating Systems: Android Q (Android 10)

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the aw_display service in the Allwinner R818 SoC implementation. Other Allwinner SoCs or Android versions may not be affected.

📦 What is this software?

Android Q Sdk by Allwinnertech

View all CVEs affecting Android Q Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app could change critical system settings like display resolution, brightness, or other hardware parameters, potentially causing system instability or denial of service.

🟠

Likely Case

Unauthorized apps could modify display settings, change system configurations, or interfere with device functionality without user consent.

🟢

If Mitigated

With proper permission checks, only system apps with appropriate privileges could modify system settings.

🌐 Internet-Facing: LOW - This requires local app installation and execution, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Requires malicious app installation on device, which could occur through sideloading or compromised app stores.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a malicious app to be installed on the device. The vulnerability is in the service permission checking mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Q SDK V1.0 with security patches or later versions

Vendor Advisory: https://www.allwinnertech.com/index.php?c=product&a=index&id=92

Restart Required: Yes

Instructions:

1. Contact device manufacturer for firmware updates. 2. Apply Allwinner-provided patches for the aw_display service. 3. Update to patched Android Q SDK version. 4. Rebuild and flash device firmware.

🔧 Temporary Workarounds

Restrict app installation sources

android

Only allow app installation from trusted sources like Google Play Store

Disable unknown sources

android

Turn off installation from unknown sources in Android settings

🧯 If You Can't Patch

Implement app vetting process to prevent malicious apps from being installed
Use mobile device management (MDM) solutions to control app installation and monitor for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check device specifications for Allwinner R818 SoC and Android Q version. Review system logs for unauthorized aw_display service calls.

Check Version:

adb shell getprop ro.build.version.sdk (should return 29 for Android Q) and check hardware specifications for SoC

Verify Fix Applied:

Test with a controlled app attempting to call aw_display service without proper permissions - should be denied.

📡 Detection & Monitoring

Log Indicators:

Unauthorized calls to aw_display service
Permission denial logs for system settings modification

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

source="android" AND (service="aw_display" OR permission_denied) AND action="modify_system_settings"

📊 Metadata

CVE ID: CVE-2021-38789

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

Published: January 19, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/Allwinner%20R818%20SoC%EF%BC%9Aaw_display%20service%20has%20EoP%20Vulnerability.md Broken Link
https://vul.wangan.com/a/CNVD-2021-46927 Third Party Advisory
https://www.allwinnertech.com/index.php?c=product&a=index&id=92 Product,Vendor Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-46927 Third Party Advisory
https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/Allwinner%20R818%20SoC%EF%BC%9Aaw_display%20service%20has%20EoP%20Vulnerability.md Broken Link
https://vul.wangan.com/a/CNVD-2021-46927 Third Party Advisory
https://www.allwinnertech.com/index.php?c=product&a=index&id=92 Product,Vendor Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-46927 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38789, you might also want to check these: