Login Sign Up

CVE-2021-37006

7.5 HIGH

📋 TL;DR

This CVE describes an Improper Preservation of Permissions vulnerability in Huawei smartphones running HarmonyOS. It allows unauthorized access to sensitive user data by bypassing permission controls. Users of affected Huawei devices are impacted.

💻 Affected Systems

Products:
  • Huawei Smartphones
Versions: HarmonyOS versions prior to the August 2021 security update
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Specific device models not specified in available references, but affects Huawei smartphones running vulnerable HarmonyOS versions.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user confidentiality including access to personal data, photos, messages, and authentication credentials stored on the device.

🟠

Likely Case

Unauthorized access to specific protected data or system resources that should require user permission.

🟢

If Mitigated

Limited or no data exposure if proper security patches are applied and device permissions are properly configured.

🌐 Internet-Facing: LOW - This appears to be a local device vulnerability requiring physical or app-based access to the device.
🏢 Internal Only: MEDIUM - Malicious apps or users with device access could exploit this to bypass permission controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation likely requires malicious app installation or physical access to the device. No public exploit code found in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2021 HarmonyOS security update

Vendor Advisory: https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202108-0000001180965965

Restart Required: Yes

Instructions:

1. Navigate to Settings > System & updates > Software update on your Huawei device. 2. Check for available updates. 3. Install the August 2021 security update. 4. Restart device when prompted.

🔧 Temporary Workarounds

Restrict app permissions

all

Review and restrict unnecessary app permissions to limit potential attack surface

Disable unknown sources

all

Prevent installation of apps from unknown sources to reduce risk of malicious apps

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app installation policies and monitor for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version is prior to August 2021 security update, device is vulnerable.

Check Version:

Settings > About phone > HarmonyOS version (no CLI command available)

Verify Fix Applied:

Verify HarmonyOS version shows August 2021 security update or later in Settings > About phone > HarmonyOS version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual permission access patterns
  • Apps requesting permissions outside their normal scope

Network Indicators:

  • Unusual data exfiltration from device

SIEM Query:

Not applicable - local device vulnerability

📊 Metadata

CVE ID: CVE-2021-37006
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-281
Published: November 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37006, you might also want to check these:

CVE-2024-41649 9.8

This CVE describes an insecure permissions vulnerability in ROS2 navigation2 that allows attackers t...

Same vulnerability type (CWE-281)
CVE-2024-54465 9.8

This CVE describes a privilege escalation vulnerability in macOS where a malicious application could...

Same vulnerability type (CWE-281)
CVE-2020-18890 9.8

This vulnerability allows remote attackers to execute arbitrary code on puppyCMS v5.1 systems due to...

Same vulnerability type (CWE-281)