CVE-2021-29949 – This vulnerability allows Thunderbird to load a... (How to Fix)

Q: How do I fix CVE-2021-29949?

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update check and installation. 4. Restart Thunderbird when prompted. 5. Verify version is 78.9.1 or higher.

Q: What is the severity of CVE-2021-29949?

CVE-2021-29949 has a CVSS score of 7.8 (HIGH). This vulnerability allows Thunderbird to load a malicious shared library instead of the legitimate OTR protocol library due to an incorrect filename search order. Attackers who can place a malicious library in a directory within Thunderbird's search path can execute arbitrary code. This affects Thunderbird users with versions below 78.9.1.

📋 TL;DR

This vulnerability allows Thunderbird to load a malicious shared library instead of the legitimate OTR protocol library due to an incorrect filename search order. Attackers who can place a malicious library in a directory within Thunderbird's search path can execute arbitrary code. This affects Thunderbird users with versions below 78.9.1.

💻 Affected Systems

Products:

Mozilla Thunderbird

Versions: All versions < 78.9.1

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to place malicious library in directory within Thunderbird's library search path (LD_LIBRARY_PATH on Linux, PATH on Windows, DYLD_LIBRARY_PATH on macOS).

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the Thunderbird process, potentially leading to data theft, malware installation, or lateral movement.

🟠

Likely Case

Local privilege escalation or persistence mechanism for attackers who already have some access to the system, allowing them to maintain control or escalate privileges.

🟢

If Mitigated

No impact if Thunderbird is updated to patched version or if proper file system permissions prevent unauthorized library placement.

🌐 Internet-Facing: LOW - This requires local file system access to place malicious libraries, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal attackers with file write access to Thunderbird search paths could exploit this for privilege escalation or persistence.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local file system access to plant malicious library. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 78.9.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-13/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update check and installation. 4. Restart Thunderbird when prompted. 5. Verify version is 78.9.1 or higher.

🔧 Temporary Workarounds

Restrict library search paths

all

Modify environment variables to limit directories Thunderbird searches for libraries

export LD_LIBRARY_PATH=/usr/lib:/usr/local/lib (Linux)
set PATH=C:\Program Files\Mozilla Thunderbird (Windows)

File system permissions

all

Set restrictive permissions on directories in Thunderbird's library search path

chmod 755 /usr/local/lib && chown root:root /usr/local/lib (Linux)
icacls "C:\Program Files\Mozilla Thunderbird" /deny Everyone:(OI)(CI)(W) (Windows)

🧯 If You Can't Patch

Restrict file system permissions to prevent unauthorized users from writing to Thunderbird library directories
Monitor for suspicious library files in Thunderbird search paths using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird. If version is below 78.9.1, system is vulnerable.

Check Version:

thunderbird --version (Linux/macOS) or check Help > About in GUI (all platforms)

Verify Fix Applied:

Verify Thunderbird version is 78.9.1 or higher in Help > About Thunderbird.

📡 Detection & Monitoring

Log Indicators:

Failed library loading attempts in Thunderbird logs
Unexpected library files in Thunderbird directories

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

Process creation where parent process is thunderbird.exe and command line includes suspicious library loading

📊 Metadata

CVE ID: CVE-2021-29949

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: June 24, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1682101 Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-13/ Release Notes,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1682101 Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-13/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29949, you might also want to check these: