CVE-2021-40049 – This CVE-2021-40049 is a permission control vul... (How to Fix)

Q: What is the severity of CVE-2021-40049?

CVE-2021-40049 has a CVSS score of 7.5 (HIGH). This CVE-2021-40049 is a permission control vulnerability in Huawei's PMS (Package Manager Service) module that allows unauthorized access to sensitive system information. It affects Huawei devices running HarmonyOS and EMUI. Attackers can exploit this to obtain system information without proper authorization.

📋 TL;DR

This CVE-2021-40049 is a permission control vulnerability in Huawei's PMS (Package Manager Service) module that allows unauthorized access to sensitive system information. It affects Huawei devices running HarmonyOS and EMUI. Attackers can exploit this to obtain system information without proper authorization.

💻 Affected Systems

Products:

Huawei smartphones
Huawei tablets

Versions: HarmonyOS 2.0 versions before 2.0.0.230, EMUI 12.0.0 versions before 12.0.0.230

Operating Systems: HarmonyOS, EMUI

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei devices running vulnerable versions of HarmonyOS or EMUI. Requires local access or malicious application installation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive system information including device configuration, installed applications, and potentially user data through privilege escalation.

🟠

Likely Case

Unauthorized access to system information that could be used for reconnaissance, profiling devices, or as a stepping stone for further attacks.

🟢

If Mitigated

Limited to no impact if proper access controls and patching are implemented.

🌐 Internet-Facing: MEDIUM - Requires local access or malicious app installation, but could be combined with other exploits.

🏢 Internal Only: HIGH - Malicious apps or compromised devices within the network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access or malicious app installation. No public proof-of-concept available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later, EMUI 12.0.0.230 and later

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2022/3/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings > System & updates > Software update. 2. Download and install available security updates. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Restrict app installations

all

Only install applications from trusted sources like official app stores

Enable app verification

all

Turn on app verification features in device security settings

🧯 If You Can't Patch

Isolate affected devices from sensitive networks and systems
Implement strict application whitelisting policies

🔍 How to Verify

Check if Vulnerable:

Check device version in Settings > About phone > HarmonyOS/EMUI version

Check Version:

Settings > About phone > HarmonyOS/EMUI version

Verify Fix Applied:

Verify version is HarmonyOS 2.0.0.230+ or EMUI 12.0.0.230+ after update

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to PMS module
Suspicious permission requests from applications

Network Indicators:

Unusual outbound connections from affected devices

SIEM Query:

device.os.name:HarmonyOS AND device.os.version:<2.0.0.230 OR device.os.name:EMUI AND device.os.version:<12.0.0.230

📊 Metadata

CVE ID: CVE-2021-40049

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: March 10, 2022

Last Updated: November 21, 2024

🔗 References

https://consumer.huawei.com/en/support/bulletin/2022/3/ Vendor Advisory
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193 Vendor Advisory
https://consumer.huawei.com/en/support/bulletin/2022/3/ Vendor Advisory
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40049, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Emui by Huawei

Emui by Huawei

Emui by Huawei

Emui by Huawei

Emui by Huawei

Emui by Huawei

Harmonyos by Huawei

Magic Ui by Huawei

Magic Ui by Huawei

Magic Ui by Huawei

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict app installations

Enable app verification

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities