CVE-2021-37064 – This vulnerability allows attackers to create a... (How to Fix)

Q: What is the severity of CVE-2021-37064?

CVE-2021-37064 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to create arbitrary files on Huawei smartphones by exploiting improper pathname restrictions. It affects Huawei devices running HarmonyOS with insufficient directory access controls. Successful exploitation could lead to data manipulation or system compromise.

📋 TL;DR

This vulnerability allows attackers to create arbitrary files on Huawei smartphones by exploiting improper pathname restrictions. It affects Huawei devices running HarmonyOS with insufficient directory access controls. Successful exploitation could lead to data manipulation or system compromise.

💻 Affected Systems

Products:

Huawei Smartphones

Versions: HarmonyOS versions prior to specific security patches

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei smartphones running vulnerable HarmonyOS versions. Exact device models not specified in available references.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file creation leading to privilege escalation, data corruption, or persistent backdoor installation.

🟠

Likely Case

Unauthorized file creation in sensitive directories, potentially enabling data theft, application manipulation, or denial of service.

🟢

If Mitigated

Limited impact with proper file system permissions and application sandboxing in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access or malicious app installation. No public exploit code identified in available references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates from September 2021 onward

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install available security updates. 3. Restart device after installation.

🔧 Temporary Workarounds

Restrict app permissions

all

Limit file system access for untrusted applications

Disable unknown sources

all

Prevent installation of apps from untrusted sources

🧯 If You Can't Patch

Isolate affected devices from sensitive networks
Implement strict application whitelisting policies

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version

Check Version:

Not applicable for mobile devices - use device settings interface

Verify Fix Applied:

Verify installed security patch level in Settings > Security > Security update

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation events in system logs
Unauthorized directory access attempts

Network Indicators:

Unusual outbound connections from mobile devices

SIEM Query:

Not applicable - primarily local device vulnerability

📊 Metadata

CVE ID: CVE-2021-37064

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37064, you might also want to check these: