CVE-2021-39971 – CVE-2021-39971 is an external control vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-39971?

CVE-2021-39971 has a CVSS score of 7.5 (HIGH). CVE-2021-39971 is an external control vulnerability in HarmonyOS password vault that allows attackers to manipulate system settings. This could lead to unauthorized access to stored credentials. Affected systems include HarmonyOS devices with vulnerable password vault implementations.

📋 TL;DR

CVE-2021-39971 is an external control vulnerability in HarmonyOS password vault that allows attackers to manipulate system settings. This could lead to unauthorized access to stored credentials. Affected systems include HarmonyOS devices with vulnerable password vault implementations.

💻 Affected Systems

Products:

HarmonyOS Password Vault

Versions: HarmonyOS 2.0 versions before 2.0.0.210

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using HarmonyOS password vault functionality. Requires password vault to be enabled and in use.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all stored passwords and credentials, leading to account takeovers and data breaches.

🟠

Likely Case

Targeted credential theft from specific users or applications using the password vault.

🟢

If Mitigated

Limited impact with proper access controls and monitoring in place.

🌐 Internet-Facing: MEDIUM - Requires some level of access or social engineering to exploit.

🏢 Internal Only: HIGH - Internal attackers could exploit this more easily to access sensitive credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires some level of access to the system and knowledge of password vault configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.210 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202110-0000001162998526

Restart Required: Yes

Instructions:

1. Check current HarmonyOS version. 2. Update to version 2.0.0.210 or later via Settings > System & updates > Software update. 3. Restart device after update completes.

🔧 Temporary Workarounds

Disable Password Vault

all

Temporarily disable the password vault functionality until patched

Restrict Access Controls

all

Implement strict access controls and monitoring for password vault access

🧯 If You Can't Patch

Implement network segmentation to isolate affected devices
Enable detailed logging and monitoring for password vault access attempts

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version is below 2.0.0.210, device is vulnerable.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version is 2.0.0.210 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual password vault access patterns
Multiple failed authentication attempts to password vault
Configuration changes to password vault settings

Network Indicators:

Unexpected network traffic to/from password vault services
Unusual authentication requests

SIEM Query:

source="harmonyos" AND (event_type="password_vault_access" OR event_type="authentication_failure")

📊 Metadata

CVE ID: CVE-2021-39971

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-668

Published: January 3, 2022

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202110-0000001162998526 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202110-0000001162998526 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39971, you might also want to check these: