Login Sign Up

CVE-2023-3417

7.5 HIGH

📋 TL;DR

Thunderbird email client vulnerability allows attackers to disguise executable files as document attachments using Unicode text direction override characters. Users could be tricked into running malicious executables thinking they're safe documents. Affects Thunderbird versions before 115.0.1 and 102.13.1.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
Versions: Thunderbird < 115.0.1 and Thunderbird < 102.13.1
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Thunderbird installations with affected versions are vulnerable regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

User executes malicious attachment thinking it's a document, leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Targeted phishing campaigns where users download and execute disguised malware, leading to credential theft or malware infection.

🟢

If Mitigated

With proper email filtering and user awareness, impact limited to isolated incidents with minimal damage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires user interaction (opening attachment) but exploitation is trivial once attachment is delivered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 115.0.1 or 102.13.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-27/

Restart Required: Yes

Instructions:

1. Open Thunderbird 2. Click Help > About Thunderbird 3. Allow automatic update or download from mozilla.org 4. Restart Thunderbird after update

🔧 Temporary Workarounds

Disable automatic attachment opening

all

Configure Thunderbird to not automatically open attachments and require explicit user action

Email filtering for Unicode override characters

all

Configure email gateway to filter or flag emails containing Unicode text direction characters in filenames

🧯 If You Can't Patch

  • Implement strict email attachment policies blocking executable file types
  • Deploy endpoint protection with behavior-based malware detection

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird

Check Version:

thunderbird --version

Verify Fix Applied:

Verify version is 115.0.1 or higher, or 102.13.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual attachment execution events
  • Security software alerts on disguised executables

Network Indicators:

  • Emails with attachments containing Unicode override characters in filenames

SIEM Query:

source="thunderbird" AND (attachment_executed OR process_creation) AND parent_process="thunderbird"

📊 Metadata

CVE ID: CVE-2023-3417
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: July 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON