EMUI
These issues on EMUI 11 and 12 fixed with October 2022 EMUI security patches
Huawei has brought the October 2022 EMUI security patch details with a big bag of fixes and improvements for the threatening issues. Consequently, users will notice overall enhancement and stability in their devices after installing the new patch.
We are well aware of the fact that Huawei sends regular updates to its devices to maintain their reliability. But, often these updates welcome some hidden issues and defects in the system. As a result, these issues create a gateway for the malware to enter the applications and exploit the entire functioning of the gadget.
Therefore, this makes the user very conscious about installing every new firmware on their device. Hence, apart from the vulnerability description, the company has also shared a huge narration regarding what fixes the new patch will bring to the smart handsets.
As usual, the company has explored various segments of the device and has prepared a fresh improvement package. And the interesting part of this new package is, these fixes apply to the major EMUI 11 and 12 versions.
On the other hand, these spots cover several essential parts of the internal system. For instance, framework, kernel, KEYMASTER, configuration, and more. Thus, by treating and mending every element, this patch increases the security of your device to the next level.
So, if your handy gadget is running on any of the mentioned versions, then you must check which new issues get a full stop with the latest October 2022 EMUI security patch.
October 2022 EMUI security fixes for EMUI 11 and EMUI 12
CVE 1: CVE-2021-40017
- CVE version detail: Vulnerability of not verifying the validity of the key’s format in the HW_KEYMASTER module
- Risk Level: Critical
- Affected Versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may cause out-of-bounds access
CVE 2: CVE-2021-46839, CVE-2021-46840
- CVE version detail: Lack of length check, and parameter set verification vulnerability in the HW_KEYMASTER module
- Risk Level: Medium
- Affected Versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Attackers can construct malicious data as well as cause out-of-bounds access
CVE 3: CVE-2022-38983
- CVE version detail: UAF vulnerability in the BT Hfp Client module
- Risk Level: High
- Affected Versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may cause arbitrary code execution
CVE 4: CVE-2022-41576
- CVE version detail: boot.sh script that can be modified by malicious programs in the phone module
- Risk Level: Medium
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability can cause irreversible program implantation on the user’s device.
CVE 5: CVE-2022-41578
- CVE version detail: Out-of-bounds write vulnerability in the mptcp module
- Risk Level: High
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may cause attack programs to modify program information to implement root privilege escalation attacks.
CVE 6: CVE-2022-41580, CVE-2022-41581
- CVE version details: Vulnerability of not verifying the read content in the HW_KEYMASTER module
- Risk Level: Medium
- Affected Versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Attackers can construct malicious data as well as cause out-of-bounds access
CVE 7: CVE-2022-41582
- CVE version details: Configuration defects in the security module
- Risk Level: High
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may affect availability
CVE 8: CVE-2022-41584, CVE-2022-41585
- CVE version details: Out-of-bounds read vulnerability in the kernel module
- Risk Level: Medium
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may cause memory overwriting
CVE 9: CVE-2022-41586
- CVE version details: Untruncated data vulnerability in the communication framework module
- Risk Level: Medium
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability will affect confidentiality
CVE 10: CVE-2022-41588
- CVE version details: Service logic exception vulnerability in the home screen module
- Risk Level: Medium
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of this CVE on devices: Successful exploitation of this vulnerability may affect the integrity
CVE 11: (CVE-2022-41592, CVE-2022-41593, CVE-2022-41594, CVE-2022-41595, CVE-2022-41597, CVE-2022-41598, CVE-2022-41600, CVE-2022-41601, CVE-2022-41602, CVE-2022-41603)
- CVE version details: Heap overflow/Out-of-bounds read/Null pointer or other issues in the phone due to fingerprint TA
- Risk Level: Medium
- Affected versions: EMUI 12.0.0, EMUI 11.0.1
- Impact of these CVEs on devices: Attackers with root permission can exploit this vulnerability by controlling the file content. As a result, the fingerprint service may be abnormal.
Huawei has released the January 2023 software update for the Huawei Nova Y90 and Y70 smartphones in the global market, and this firmware clearly improves these phones’ security aspects for a better user experience.
Both Huawei Nova Y90 and Y70 runs EMUI 12 out of the box but it would be interesting if the company could have sent EMUI 13 instead of the security patch. Speaking of which, no one knows, when Huawei will rollout EMUI 13 for global users for the time being.
Coming back to the rollout, January 2023 security update for Huawei Nova Y90 and Nova Y70 comes with EMUI version 12.0.1.177 and EMUI 12.0.1.202. This update is suggested to install on all of the devices sold marketed outside of China and will appear in batches.
We suggest the corresponding users look into the settings > then open System & updates, followed by a Software update, and then tap on CHECK FOR UPDATES. You can download the latest firmware also from the My Huawei app.
You should know that the update won’t erase your personal data but it is suggested for you back up any important data before updating the device. On the other hand, the package will be deleted automatically once the installation succeeds.
Thanks to the tipster for this amazing information, Masterpiece.
(via)
Huawei has released February 2023 EMUI security patch details that will fetch better safety for smartphones running EMUI 12.0.1, EMUI 12.0, and EMUI 11 in the global market.
In the meantime, Huawei keeps on sending security patches, optimizations, and other important performance upgrades over the OTA method directly to the devices.
Meanwhile, Huawei has not released the February 2023 EMUI security patch update for smartphones but it may soon be delivered to the corresponding eligible models.
Why it’s important?
Security patches are important and Huawei releases such upgrades for smartphones to implement high safety measures to guard the data and fight vulnerabilities. Such updates roll out monthly and quarterly sessions.
What fixed:
Huawei has fixed 2 issues in critical condition, 14 of them fixed in high mode, medium and low level of vulnerabilities are not recorded this time. While there are 23 common vulnerability exposures patched from the last firmware version.
Specifically, it fixes an unauthorized access vulnerability (CVE-2022-48286) in the multi-screen collaboration module, which could have affected the confidentiality of the files that you are sharing over the air.
There are two medium-level vulnerabilities fixed for Bluetooth modules, which could exploit user data. CVE-2022-48295 addresses the fix of authentification of the IHwAntiMalPlugin API, which could let malware attack your Huawei device.
Next comes the Huawei fix for permission management vulnerability in the SystemUI module, which may cause users to receive misleading broadcasts from malicious apps for storage exploitations.
Below you can check all of the CVE counts and codes mentioned in the February 2023 security bulletin.
Critical:
- CVE-2022-22088, CVE-2022-41674
High:
- CVE-2022-20456, CVE-2022-20461, CVE-2022-20489, CVE-2022-20490, CVE-2022-20492, CVE-2022-20493, CVE-2022-20494, CVE-2023-20905, CVE-2023-20913, CVE-2023-20915, CVE-2023-20920, CVE-2023-20921, CVE-2022-33255, CVE-2022-32635
Already included in previous updates:
- CVE-2022-20504, CVE-2022-20506, CVE-2022-20513, CVE-2022-20515, CVE-2022-20516, CVE-2022-20517, CVE-2022-20518, CVE-2022-20520, CVE-2022-20521, CVE-2022-20525, CVE-2022-20528, CVE-2022-20530, CVE-2022-20537, CVE-2022-20539, CVE-2022-20541, CVE-2022-20544, CVE-2022-20546, CVE-2022-20552, CVE-2022-42535, CVE-2022-42542, CVE-2022-20496, CVE-2022-20566, CVE-2021-39793
February 2023 security patch may take some time to toss over the devices and we’ll keep you posted.
Huawei is expanding the January 2023 security patch for Nova 7 global version that improves the phone’s capability against potential threats. According to the information, Huawei Nova 7 January 2023 EMUI update comes with version 12.0.0.244 and 233 megabytes. This update is rolling out in batches began to rollout early last month.
You can check for the update via Settings or via the My Huawei app. Below you can see the update changelog:
This update improves system security with security patches.
Security:
- Integrates security patches released in January 2023 for improved system security.
Update notes:
- This update will not erase your personal data but we recommend that you back up only important data before updating.
- If you encounter any issues during the update contact the Huawei customer service hotline.
- The update package will be deleted automatically after the update is complete.
Thanks to the tipster – Mohammed for this amazing update.
