CVE-2021-22371 – This CVE describes an improper permission manag... (How to Fix)

Q: What is the severity of CVE-2021-22371?

CVE-2021-22371 has a CVSS score of 7.5 (HIGH). This CVE describes an improper permission management vulnerability in Huawei smartphones that allows unauthorized access to sensitive services. Successful exploitation could compromise service confidentiality by exposing protected data or functionality. The vulnerability affects Huawei smartphone users with specific software versions.

📋 TL;DR

This CVE describes an improper permission management vulnerability in Huawei smartphones that allows unauthorized access to sensitive services. Successful exploitation could compromise service confidentiality by exposing protected data or functionality. The vulnerability affects Huawei smartphone users with specific software versions.

💻 Affected Systems

Products:

Huawei smartphones

Versions: Specific Huawei smartphone software versions (exact versions not specified in provided references)

Operating Systems: Android-based Huawei EMUI

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations of affected Huawei smartphones. Exact model list and versions would require checking Huawei's official bulletins.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive smartphone services, potentially exposing personal data, authentication credentials, or device functionality that should be protected.

🟠

Likely Case

Local attackers or malicious apps bypass permission checks to access protected services, leading to information disclosure about device state or user activities.

🟢

If Mitigated

With proper app sandboxing and permission controls, exploitation would be limited to specific services rather than full device compromise.

🌐 Internet-Facing: LOW - This appears to be a local vulnerability requiring access to the device, not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Malicious apps or local attackers could exploit this, but physical access or app installation would typically be required.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires local access or malicious app installation. No public exploit code was found in initial research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Huawei security updates from May 2021 onward

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2021/5/

Restart Required: Yes

Instructions:

1. Check for available updates in Settings > System & updates > Software update. 2. Download and install the latest security update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Restrict app permissions

all

Review and restrict unnecessary app permissions to limit potential attack surface

Install apps only from trusted sources

all

Prevent installation of potentially malicious apps that could exploit this vulnerability

🧯 If You Can't Patch

Isolate affected devices from sensitive networks and data
Implement mobile device management (MDM) with strict app whitelisting

🔍 How to Verify

Check if Vulnerable:

Check device software version in Settings > About phone > Build number and compare against Huawei's May 2021 security bulletin

Check Version:

No command-line option; check through device Settings interface

Verify Fix Applied:

Verify the security patch level includes May 2021 or later updates in Settings > About phone > Build number

📡 Detection & Monitoring

Log Indicators:

Unusual permission requests from apps
Unexpected service access attempts in system logs

Network Indicators:

Unusual outbound connections from smartphone services

SIEM Query:

No standard SIEM query available for mobile device permission bypass vulnerabilities

📊 Metadata

CVE ID: CVE-2021-22371

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: June 30, 2021

Last Updated: November 21, 2024

🔗 References

https://consumer.huawei.com/en/support/bulletin/2021/5/ Vendor Advisory
https://consumer.huawei.com/en/support/bulletin/2021/5/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22371, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Emui by Huawei

Emui by Huawei

Emui by Huawei

Magic Ui by Huawei

Magic Ui by Huawei

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict app permissions

Install apps only from trusted sources

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities