Login Sign Up

CVE-2021-36991

7.5 HIGH
Path Traversal

📋 TL;DR

This vulnerability in Huawei smartphones allows attackers to access files they shouldn't have permission to view by manipulating file paths. It affects Huawei smartphone users who haven't applied security updates. The issue stems from improper validation of file path inputs.

💻 Affected Systems

Products:
  • Huawei Smartphones
Versions: Specific versions not detailed in provided references, but affected devices prior to July 2021 security updates
Operating Systems: HarmonyOS, Android-based EMUI
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Huawei smartphones with unpatched software. Exact model list not specified in provided references.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Magic Ui by Huawei

View all CVEs affecting Magic Ui →

Magic Ui by Huawei

View all CVEs affecting Magic Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive user data including personal files, photos, documents, and potentially authentication tokens stored on the device.

🟠

Likely Case

Unauthorized access to specific files or directories that could contain personal information, leading to privacy violations.

🟢

If Mitigated

No impact if the vulnerability is patched or if proper input validation prevents path manipulation.

🌐 Internet-Facing: LOW - This appears to be a local vulnerability requiring access to the device, not directly exploitable over the internet.
🏢 Internal Only: MEDIUM - Could be exploited by malicious apps installed on the device or through physical access to the smartphone.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires creating malicious file paths, likely through a malicious application or specific conditions. No public exploit code was mentioned in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security update or later

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2021/7/

Restart Required: Yes

Instructions:

1. Go to Settings > System & updates > Software update on your Huawei smartphone. 2. Check for available updates. 3. Download and install the July 2021 security update or later. 4. Restart your device after installation completes.

🔧 Temporary Workarounds

Restrict app permissions

all

Limit file access permissions for applications to reduce attack surface

Avoid untrusted apps

all

Only install applications from official app stores and trusted developers

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement mobile device management (MDM) policies to restrict app installations and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check your device's security patch level in Settings > About phone > Build number. If the security patch level is before July 2021, the device is likely vulnerable.

Check Version:

Not applicable - check through device settings interface

Verify Fix Applied:

Verify the security patch level shows July 2021 or later in Settings > About phone > Build number after applying updates.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Multiple failed file access attempts with manipulated paths
  • Applications requesting unexpected file permissions

Network Indicators:

  • Not applicable - this is a local file system vulnerability

SIEM Query:

Not applicable for typical SIEM monitoring as this is a local device vulnerability

📊 Metadata

CVE ID: CVE-2021-36991
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: October 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON