Login Sign Up

CVE-2021-38510

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Firefox, Thunderbird, and Firefox ESR on macOS allows malicious .inetloc files to execute commands without displaying the standard executable file warning. Attackers can trick users into downloading these files, potentially leading to remote code execution. Only macOS users running affected browser versions are impacted.

💻 Affected Systems

Products:
  • Firefox
  • Thunderbird
  • Firefox ESR
Versions: Firefox < 94, Thunderbird < 91.3, Firefox ESR < 91.3
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS due to OS-specific handling of .inetloc files. Other operating systems are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with user privileges, allowing attackers to install malware, steal data, or gain persistent access to the system.

🟠

Likely Case

Attackers deliver malicious .inetloc files via phishing or compromised websites, executing arbitrary commands when users download and open them.

🟢

If Mitigated

With updated browsers, the executable warning appears, allowing users to cancel the download and prevent exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (downloading and opening a malicious .inetloc file). No authentication needed for the initial download.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 94+, Thunderbird 91.3+, Firefox ESR 91.3+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-48/

Restart Required: Yes

Instructions:

1. Open the affected browser. 2. Go to About Firefox/Thunderbird. 3. Allow the browser to check for and install updates. 4. Restart the browser when prompted.

🔧 Temporary Workarounds

Disable automatic file opening

all

Configure browser to ask where to save files instead of opening them automatically.

In Firefox: Settings > General > Downloads > Check 'Always ask you where to save files'

Block .inetloc downloads

all

Use browser extensions or security software to block downloads of .inetloc files.

🧯 If You Can't Patch

  • Educate users to avoid downloading .inetloc files from untrusted sources.
  • Implement application whitelisting to prevent execution of unauthorized commands.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird. If version is below the patched versions, the system is vulnerable.

Check Version:

In Firefox/Thunderbird: Open browser, go to 'About Firefox' or 'About Thunderbird' in the menu.

Verify Fix Applied:

After updating, verify the browser version meets or exceeds the patched versions. Test by attempting to download an .inetloc file - a warning should appear.

📡 Detection & Monitoring

Log Indicators:

  • Browser logs showing .inetloc file downloads
  • System logs showing unexpected command execution following .inetloc file access

Network Indicators:

  • Downloads of .inetloc files from untrusted sources
  • Unusual outbound connections following .inetloc file access

SIEM Query:

source="browser.logs" AND (file_extension=".inetloc" OR process_execution AFTER file_download)

📊 Metadata

CVE ID: CVE-2021-38510
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: December 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON