CVE-2021-40028 – CVE-2021-40028 is an out-of-bounds memory write... (How to Fix)

Q: What is the severity of CVE-2021-40028?

CVE-2021-40028 has a CVSS score of 7.5 (HIGH). CVE-2021-40028 is an out-of-bounds memory write vulnerability in the eID module of HarmonyOS. This vulnerability could allow attackers to corrupt memory and potentially execute arbitrary code or cause system crashes. It affects HarmonyOS devices with the vulnerable eID module.

📋 TL;DR

CVE-2021-40028 is an out-of-bounds memory write vulnerability in the eID module of HarmonyOS. This vulnerability could allow attackers to corrupt memory and potentially execute arbitrary code or cause system crashes. It affects HarmonyOS devices with the vulnerable eID module.

💻 Affected Systems

Products:

HarmonyOS devices with eID module

Versions: HarmonyOS versions prior to the January 2022 security update

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the eID (electronic identity) module implementation

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation

🟠

Likely Case

System instability, crashes, or denial of service affecting device functionality

🟢

If Mitigated

Limited impact with proper memory protections and exploit mitigations in place

🌐 Internet-Facing: MEDIUM - Requires specific conditions but could be exploited remotely if eID services are exposed

🏢 Internal Only: MEDIUM - Could be exploited locally or through adjacent network access

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and knowledge of the eID module implementation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security update for HarmonyOS

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202201-0000001238736331

Restart Required: Yes

Instructions:

1. Check for available updates in device settings. 2. Apply the January 2022 security update. 3. Restart the device to complete installation.

🔧 Temporary Workarounds

Disable eID module if not needed

all

Temporarily disable the eID functionality if not required for device operation

Network segmentation

all

Isolate affected devices from untrusted networks

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for abnormal system behavior or crashes related to eID services

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version

Check Version:

Not applicable - check through device settings interface

Verify Fix Applied:

Verify HarmonyOS version is updated to include January 2022 security patches

📡 Detection & Monitoring

Log Indicators:

Unexpected eID module crashes
Memory access violation errors
Abnormal eID service termination

Network Indicators:

Unusual network traffic to/from eID services
Attempts to access eID module interfaces

SIEM Query:

source="harmonyos" AND (event_type="crash" AND module="eid") OR (event_type="memory_violation" AND process="eid")

📊 Metadata

CVE ID: CVE-2021-40028

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-787

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202201-0000001238736331 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202201-0000001238736331 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40028, you might also want to check these: