Login Sign Up

CVE-2021-39998

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in HwConnectivityExService allows attackers to cause denial of service by making concurrent API calls to affected smartphones. Successful exploitation causes system crashes and forced restarts. Huawei/HarmonyOS smartphone users are affected.

💻 Affected Systems

Products:
  • Huawei smartphones with HarmonyOS
  • Huawei smartphones with EMUI
Versions: HarmonyOS 2.0 versions before 2.0.0.230, EMUI versions before specific security patches in December 2021
Operating Systems: HarmonyOS, Android-based EMUI
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with the vulnerable HwConnectivityExService component; exact device models not specified in available references.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Magic Ui by Huawei

View all CVEs affecting Magic Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service making device unusable until patched, potentially requiring factory reset if crashes prevent updates.

🟠

Likely Case

Temporary device unavailability during crashes and restarts, disrupting user activities and potentially causing data loss in unsaved applications.

🟢

If Mitigated

Minimal impact with proper patching; devices remain functional with normal performance.

🌐 Internet-Facing: MEDIUM - Requires local access or malicious app installation; not directly exploitable over internet without user interaction.
🏢 Internal Only: MEDIUM - Malicious apps or compromised internal systems could trigger the vulnerability on connected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to make concurrent API calls to the vulnerable service, typically through malicious app with appropriate permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later; EMUI security patches from December 2021

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2021/12/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings. 2. Install available security updates. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Disable unnecessary connectivity services

all

Reduce attack surface by disabling unused connectivity features that might interact with HwConnectivityExService

Restrict app permissions

all

Limit which apps have system-level permissions that could access vulnerable APIs

🧯 If You Can't Patch

  • Isolate vulnerable devices from untrusted networks and applications
  • Implement mobile device management (MDM) controls to monitor for crash events

🔍 How to Verify

Check if Vulnerable:

Check device OS version: Settings > About phone > HarmonyOS/EMUI version. Compare against patched versions.

Check Version:

adb shell getprop ro.build.version.emui (for EMUI) or check Settings > About phone

Verify Fix Applied:

Confirm OS version is HarmonyOS 2.0.0.230+ or has December 2021 security patches installed.

📡 Detection & Monitoring

Log Indicators:

  • Frequent system crashes/restarts
  • HwConnectivityExService crash logs
  • ANR (Application Not Responding) events related to connectivity

Network Indicators:

  • Unusual API call patterns to local device services

SIEM Query:

source="android_logs" AND ("HwConnectivityExService" OR "system_server") AND ("crash" OR "ANR" OR "Watchdog")

📊 Metadata

CVE ID: CVE-2021-39998
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: January 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON