CVE-2021-37038

7.5 HIGH

📋 TL;DR

This CVE describes an improper access control vulnerability in Huawei smartphones that could allow unauthorized access to sensitive services. Successful exploitation could compromise service confidentiality. Affected users are those with vulnerable Huawei smartphone models running specific software versions.

💻 Affected Systems

Products:

• Huawei smartphones

Versions: Specific versions not detailed in provided references; September 2021 security bulletin indicates multiple models affected

Operating Systems: HarmonyOS, EMUI

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects service confidentiality on Huawei smartphones; exact models and versions would need to be checked against Huawei's security bulletins.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Magic Ui by Huawei

View all CVEs affecting Magic Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain unauthorized access to sensitive services and data on the device, potentially compromising user privacy and device security.

🟠

Likely Case

Local attackers or malicious apps could bypass access controls to access protected services they shouldn't have permission to use.

🟢

If Mitigated

With proper security controls and updated software, the vulnerability would be patched and inaccessible to attackers.

🌐 Internet-Facing: LOW - This appears to be a local access vulnerability requiring physical or app-based access to the device.

🏢 Internal Only: MEDIUM - Malicious apps or local attackers could exploit this if they gain access to the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires local access or malicious app installation; no public exploit code was mentioned in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: September 2021 security update

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2021/9/

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System & updates > Software update. 2. Install the September 2021 security update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Disable unnecessary services

all

Review and disable any non-essential services that might be vulnerable

Restrict app permissions

all

Review and restrict permissions for installed applications

🧯 If You Can't Patch

• Isolate affected devices from sensitive networks
• Implement strict app installation policies and only install from trusted sources

🔍 How to Verify

Check if Vulnerable:

Copy

Check device security patch level in Settings > About phone > Build number; if before September 2021, device is likely vulnerable.

Check Version:

Copy

Settings > About phone > Build number (no command line available on consumer devices)

Verify Fix Applied:

Copy

Verify security patch level shows September 2021 or later in Settings > About phone > Build number.

📡 Detection & Monitoring

Log Indicators:

• Unauthorized service access attempts
• Permission bypass events in system logs

Network Indicators:

• Unusual local service communication patterns

SIEM Query:

Copy

Not applicable for consumer mobile devices without enterprise logging capabilities

📊 Metadata

CVE ID: CVE-2021-37038

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

• https://consumer.huawei.com/en/support/bulletin/2021/9/ Vendor Advisory
• https://consumer.huawei.com/en/support/bulletin/2021/9/ Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON