May 2022 EMUI security patch fixes for these 17 privacy issues

Huawei is always concerned about user overall system security and data privacy. To fix the security flaws encountered in the latest software system, Huawei releases a monthly security patch for EMUI and HarmonyOS-powered devices.

In the latest move, Huawei has dispatched the May 2022 EMUI security patch detail, which is published on the Android security bulletin. In detail, the latest security patch fixes 1 critical, 14 high, and 16 medium levels of CVE.

Are thinking the May 2022 security patch detail contains only above mentioned fixes? Well, that’s not it, the May 2022 EMUI patch also includes fixes for some additional issues, which can cause major problems for the users.

With May 2022 security update, the company resolves a total of 17 common vulnerabilities and issues found in EMUI software systems. Currently, Huawei is seeding the latest EMUI 12 major OS update in global Huawei smartphones.

However, there are some CVEs found in the latest EMUI 12. Therefore, the installation of the May 2022 update is really important for increased system security and privacy.

The May 2022 security update fixed the following EMUI issues:

CVE 1:

• CVE-2021-46785: Improper permission control vulnerability in the Property module
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability can result in the obtaining of the unique device identifier.
• Acknowledgment: Zhang Qing (ByteDance), Wang Kailong (NUS), and Bai Guang Dong (UQ)

CVE 2:

• CVE-2021-46789: Configuration defects in the secure OS module
• Severity: Medium
• Affected versions: EMUI 11.0.1
• Impact: Successful exploitation of this vulnerability will affect availability.

CVE 3:

• CVE-2021-46788: Third-party pop-up window coverage vulnerability in the iConnect module
• Severity: Medium
• Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0
• Impact: System pop-up window may be covered to mislead users to perform incorrect operations.

CVE 4:

• CVE-2021-46787: Improper permission control vulnerability in the AMS module
• Severity: High
• Affected versions: EMUI 11.0.1, EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
• Impact: Successful exploitation of this vulnerability may cause non-system application processes to crash.

CVE 5:

• CVE-2021-46786: Insufficient verification of the parameters transferred by the application space in the audio module
• Severity: Medium
• Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0
• Impact: Successful exploitation of this vulnerability may cause out-of-bounds memory access.

CVE 6:

• CVE-2021-40010: Heap overflow vulnerability in the bone voice ID trusted application (TA).
• Severity: Critical
• Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0
• Impact: Successful exploitation of this vulnerability may result in malicious code execution.

CVE 7:

• CVE-2022-22258: Event notification vulnerability in the Wi-Fi module
• Severity: Medium
• Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, HMOS 2.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0
• Impact: Successful exploitation of this vulnerability may cause third-party apps to intercept and add information and result in elevation of privilege.

CVE 8:

• CVE-2022-29794: UAF vulnerability in the frame scheduling module
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will affect integrity, availability, and confidentiality.

CVE 9:

• CVE-2022-22261: Unstrict verification of the validity of the weight in the model in hiaiserver
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will cause AI service exceptions.

CVE 10:

• CVE-2022-29793: Configuration defects in the activation lock of the mobile phone
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability may affect availability.

CVE 11:

• CVE-2022-29792: Serial number obtaining vulnerability in the chip assembly
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE 12:

• CVE-2022-29791: Unstrict verification of the validity of the weight in the model in hiaiserver
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will cause AI service exceptions.

CVE 13:

• CVE-2022-29790: Service abnormality caused by multi-threaded access to the database in the graphics acceleration service
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability may cause service exceptions.

CVE 14:

• CVE-2022-29789: Unstrict verification of the validity of the property in the model in hiaiserver
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will cause AI service exceptions.

CVE 15:

• CVE-2022-29795: Null pointer dereference vulnerability in the frame scheduling module
• Severity: High
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will affect availability.

CVE 16:

• CVE-2022-29796: Unstrict verification of the validity of the weight in the model in hiaiserver
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will cause AI service exceptions.

CVE 17:

• CVE-2022-22260: UAF vulnerability in the kernel module
• Severity: Medium
• Affected versions: EMUI 12.0.0
• Impact: Successful exploitation of this vulnerability will affect integrity and availability.

(Source: Huawei)