CVE-2024-47398
Published: 07 January 2025
Summary
CVE-2024-47398 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openatom Openharmony. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-47398 is an out-of-bounds write vulnerability (CWE-787) affecting OpenHarmony versions v4.1.2 and prior. It enables a local attacker to prevent the device from booting up. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact effects, including the device failing to boot, which constitutes a denial-of-service condition, alongside potential compromise of confidentiality and integrity due to the changed scope.
Mitigation details are provided in the OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-01.md. Security practitioners should consult this reference for patches or workarounds specific to affected OpenHarmony deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42694
Vulnerability details
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the device is unable to boot up through out-of-bounds write.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enables local exploitation for privilege escalation (T1068) leading to boot-time DoS via system/application exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-47398 by identifying, reporting, and correcting the out-of-bounds write flaw in OpenHarmony through timely patching.
Implements memory protection safeguards such as address randomization and non-executable memory to prevent exploitation of the out-of-bounds write vulnerability.
Validates inputs to applications and systems to restrict out-of-bounds writes triggered by local attacker-supplied data during the boot process.