CVE-2021-37099 – This path traversal vulnerability in Huawei sma... (How to Fix)

Q: What is the severity of CVE-2021-37099?

CVE-2021-37099 has a CVSS score of 9.1 (CRITICAL). This path traversal vulnerability in Huawei smartphones allows attackers to delete arbitrary files on affected devices. The vulnerability affects Huawei smartphones running HarmonyOS. Successful exploitation could lead to system instability or data loss.

📋 TL;DR

This path traversal vulnerability in Huawei smartphones allows attackers to delete arbitrary files on affected devices. The vulnerability affects Huawei smartphones running HarmonyOS. Successful exploitation could lead to system instability or data loss.

💻 Affected Systems

Products:

Huawei Smartphones

Versions: HarmonyOS versions prior to specific security patches

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei smartphones running vulnerable HarmonyOS versions. Specific models not detailed in public advisory.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, potentially bricking the device or enabling further privilege escalation.

🟠

Likely Case

Data loss through deletion of user files, application data, or configuration files leading to application failures.

🟢

If Mitigated

Limited impact if proper file permissions and sandboxing are enforced, restricting deletion to non-critical files.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or malicious app installation. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates September 2021 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System & updates > Software update. 2. Install available security updates. 3. Restart device after installation.

🔧 Temporary Workarounds

Restrict app installations

all

Only install apps from trusted sources like official app stores

Enable security features

all

Ensure device security settings are enabled including app permission controls

🧯 If You Can't Patch

Isolate affected devices from sensitive networks
Implement strict app installation policies and monitor for suspicious file deletion activity

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. Compare with patched versions in vendor advisory.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version is updated to September 2021 security patch or later. Check that no unauthorized file deletion occurs.

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in system logs
Failed file access attempts with traversal patterns

Network Indicators:

Unusual file transfer patterns if exploited remotely

SIEM Query:

File deletion events with path traversal patterns (../ or similar sequences) in file paths

📊 Metadata

CVE ID: CVE-2021-37099

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37099, you might also want to check these: