CVE-2021-37087 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-37087?

CVE-2021-37087 has a CVSS score of 9.1 (CRITICAL). This CVE describes a path traversal vulnerability in Huawei smartphones running HarmonyOS that allows attackers to create arbitrary files. Successful exploitation could lead to unauthorized file creation, potentially enabling further system compromise. The vulnerability affects Huawei smartphone users with unpatched HarmonyOS installations.

📋 TL;DR

This CVE describes a path traversal vulnerability in Huawei smartphones running HarmonyOS that allows attackers to create arbitrary files. Successful exploitation could lead to unauthorized file creation, potentially enabling further system compromise. The vulnerability affects Huawei smartphone users with unpatched HarmonyOS installations.

💻 Affected Systems

Products:

Huawei smartphones with HarmonyOS

Versions: HarmonyOS 2.0 versions before 2.0.0.230

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei smartphones running vulnerable HarmonyOS versions. The vulnerability is present in the default configuration.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create malicious files in sensitive system directories, potentially leading to privilege escalation, remote code execution, or complete device compromise.

🟠

Likely Case

Local attackers could create files in unauthorized locations, potentially enabling data theft, persistence mechanisms, or privilege escalation attacks.

🟢

If Mitigated

With proper access controls and patching, the risk is limited to authenticated users with specific permissions, reducing the attack surface significantly.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the device. No public proof-of-concept has been identified, but the high CVSS score suggests significant impact potential.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check current HarmonyOS version in Settings > System & updates > Software update. 2. If version is below 2.0.0.230, download and install the latest update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and network access to vulnerable devices to reduce attack surface

Enable device encryption

android

Enable full device encryption to protect against local file system attacks

Settings > Security & privacy > Encryption & credentials > Encrypt phone

🧯 If You Can't Patch

Isolate vulnerable devices from untrusted networks and users
Implement strict access controls and monitor for suspicious file creation activities

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > System & updates > Software update. If version is below 2.0.0.230, the device is vulnerable.

Check Version:

Settings > System & updates > Software update (no CLI command available)

Verify Fix Applied:

After updating, verify the HarmonyOS version shows 2.0.0.230 or higher in Settings > System & updates > Software update.

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation in system directories
Failed file access attempts to protected paths

Network Indicators:

Unusual local network traffic from mobile devices
Attempts to access device management interfaces

SIEM Query:

source="huawei_device_logs" AND (event_type="file_creation" AND path CONTAINS "../")

📊 Metadata

CVE ID: CVE-2021-37087

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37087, you might also want to check these: