CVE-2021-37061 – This vulnerability allows attackers to cause de... (How to Fix)

Q: What is the severity of CVE-2021-37061?

CVE-2021-37061 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause denial of service in Huawei smartphones by exploiting uncontrolled resource consumption in the screen projection application. Affected users are those with vulnerable Huawei devices running HarmonyOS. The attack could render the screen projection feature unusable.

📋 TL;DR

This vulnerability allows attackers to cause denial of service in Huawei smartphones by exploiting uncontrolled resource consumption in the screen projection application. Affected users are those with vulnerable Huawei devices running HarmonyOS. The attack could render the screen projection feature unusable.

💻 Affected Systems

Products:

Huawei smartphones with HarmonyOS

Versions: HarmonyOS 2.0 versions before 2.0.0.230

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with screen projection feature enabled

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for screen projection functionality, potentially affecting device usability for projection-dependent workflows.

🟠

Likely Case

Temporary disruption of screen projection capabilities requiring device restart to restore functionality.

🟢

If Mitigated

Minimal impact with proper patching and network segmentation limiting attack vectors.

🌐 Internet-Facing: LOW (Requires local access or network proximity to device)

🏢 Internal Only: MEDIUM (Could be exploited on internal networks if attacker gains access)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local network access or physical proximity to target device

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System & updates > Software update. 2. Download and install available updates. 3. Restart device when prompted.

🔧 Temporary Workarounds

Disable screen projection feature

all

Temporarily disable the vulnerable screen projection functionality

Network segmentation

all

Isolate devices on separate network segments to limit attack surface

🧯 If You Can't Patch

Disable screen projection feature in device settings
Implement network access controls to restrict who can communicate with affected devices

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version is earlier than 2.0.0.230, device is vulnerable.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version is 2.0.0.230 or later in Settings > About phone > HarmonyOS version.

📡 Detection & Monitoring

Log Indicators:

Unusual screen projection service crashes
Excessive resource consumption by projection app

Network Indicators:

Unusual network traffic to screen projection ports
Multiple connection attempts to projection service

SIEM Query:

Device logs showing screen projection service failures or abnormal termination

📊 Metadata

CVE ID: CVE-2021-37061

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37061, you might also want to check these: