CVE-2021-24002 – This vulnerability allows attackers to inject a... (How to Fix)

Q: How do I fix CVE-2021-24002?

1. Open the browser/email client. 2. Go to Settings/Help > About. 3. Allow automatic update or manually download latest version from official Mozilla website. 4. Restart the application.

Q: What is the severity of CVE-2021-24002?

CVE-2021-24002 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to inject arbitrary FTP commands by tricking users into clicking malicious FTP URLs containing encoded newline characters. When Firefox, Firefox ESR, or Thunderbird processes these URLs, the newlines are interpreted as command separators, enabling unauthorized actions on FTP servers. This affects users of Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

📋 TL;DR

This vulnerability allows attackers to inject arbitrary FTP commands by tricking users into clicking malicious FTP URLs containing encoded newline characters. When Firefox, Firefox ESR, or Thunderbird processes these URLs, the newlines are interpreted as command separators, enabling unauthorized actions on FTP servers. This affects users of Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox ESR < 78.10, Thunderbird < 78.10, Firefox < 88

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when users click FTP URLs with encoded newlines.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of FTP server through arbitrary command execution, potentially leading to data theft, server takeover, or lateral movement within the network.

🟠

Likely Case

Unauthorized file operations on FTP servers, including file upload/download, directory traversal, or server configuration changes.

🟢

If Mitigated

Limited impact if FTP servers are isolated, use authentication, or have restricted command permissions.

🌐 Internet-Facing: HIGH - Attackers can craft malicious URLs and distribute them via email, websites, or social engineering to target users.

🏢 Internal Only: MEDIUM - Risk exists if internal users access malicious URLs, but requires user interaction and internal FTP servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking a malicious URL) but is technically simple with publicly available details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox ESR 78.10+, Thunderbird 78.10+, Firefox 88+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-14/

Restart Required: Yes

Instructions:

1. Open the browser/email client. 2. Go to Settings/Help > About. 3. Allow automatic update or manually download latest version from official Mozilla website. 4. Restart the application.

🔧 Temporary Workarounds

Disable FTP protocol handling

all

Prevent browsers from processing FTP URLs by disabling FTP protocol support.

For Firefox: Set network.ftp.enabled to false in about:config

Block FTP URLs at network level

all

Use firewall or proxy rules to block FTP traffic from browsers.

🧯 If You Can't Patch

Educate users to avoid clicking FTP URLs, especially from untrusted sources.
Implement network segmentation to isolate FTP servers and restrict browser access to them.

🔍 How to Verify

Check if Vulnerable:

Check browser version in Settings/Help > About. If version is below Firefox ESR 78.10, Thunderbird 78.10, or Firefox 88, it is vulnerable.

Check Version:

Firefox/Thunderbird: Help > About Firefox/Thunderbird

Verify Fix Applied:

Confirm version is Firefox ESR 78.10+, Thunderbird 78.10+, or Firefox 88+ after update.

📡 Detection & Monitoring

Log Indicators:

Unusual FTP commands in server logs, especially containing newline characters or unexpected sequences from browser user-agents.

Network Indicators:

FTP traffic from browsers containing encoded newlines (%0A, %0D) in URLs.

SIEM Query:

source="ftp_server_logs" AND (command="*\n*" OR command="*\r*" OR url="*%0A*" OR url="*%0D*")

📊 Metadata

CVE ID: CVE-2021-24002

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: June 24, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1702374 Issue Tracking,Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-14/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-15/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-16/ Release Notes,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1702374 Issue Tracking,Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-14/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-15/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-16/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24002, you might also want to check these: