Exploit
CVE-2024-9680

Use After Free (CWE-416)

Published: Oct 9, 2024

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. This vulnerability has been reported as being exploited in the wild. The vulnerability is classified as critical with a CVSS v3.1 base score of 9.8, indicating a severe level of risk. It affects Mozilla Firefox and Thunderbird, and is associated with CWE-416 (Use After Free).

Impact

The impact of this vulnerability is severe. An attacker can exploit this issue to execute arbitrary code within the content process of the affected application. This could lead to: 1. Complete compromise of the affected system's confidentiality, integrity, and availability. 2. Unauthorized access to sensitive user data. 3. Potential for further lateral movement within the network if the compromised system is part of a larger infrastructure. 4. Possible installation of additional malware or backdoors on the affected system. The fact that this vulnerability is being actively exploited in the wild increases the urgency and potential impact, as it indicates that malicious actors are already aware of and using this vulnerability.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including bleepingcomputer.com.

Patch

A patch is available for this vulnerability. Mozilla has released security updates addressing this issue. The affected versions and their corresponding patched versions are: 1. Firefox versions below 131.0.2 should be updated to 131.0.2 or later. 2. Firefox ESR versions below 128.3.1 should be updated to 128.3.1 or later. 3. Firefox ESR versions below 115.16.1 should be updated to 115.16.1 or later. 4. Thunderbird versions below 131.0.1 should be updated to 131.0.1 or later. 5. Thunderbird versions below 128.3.1 should be updated to 128.3.1 or later. 6. Thunderbird versions below 115.16.0 should be updated to 115.16.0 or later. The patch was initially added on October 9, 2024, and Mozilla has released an advisory (MFSA2024-52) addressing this issue.

Mitigation

Given the critical nature of this vulnerability and its active exploitation, immediate action is strongly recommended: 1. Apply the patches released by Mozilla as soon as possible. This should be considered a high-priority update. 2. If immediate patching is not possible, consider temporarily disabling or restricting use of Firefox and Thunderbird until the update can be applied. 3. Implement network segmentation and access controls to limit potential lateral movement in case of compromise. 4. Monitor systems for any signs of exploitation or unusual activity. 5. Educate users about the risks of this vulnerability and the importance of applying updates promptly. 6. Consider using alternative browsers on critical systems until the patch is applied. 7. Regularly check for and apply any subsequent security updates from Mozilla. 8. Ensure that all instances of Firefox and Thunderbird across the organization are identified and included in the patching process. 9. Prioritize patching based on the criticality of the systems and their exposure to potential attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Oct 9, 2024 at 12:00 AM / inthewild.io
CVE Assignment

NVD published the first details for CVE-2024-9680

Oct 9, 2024 at 1:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9680. See article

Oct 9, 2024 at 1:15 PM / Mozilla Foundation Security Advisories
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 1:15 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-9680).

Oct 9, 2024 at 2:35 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 9, 2024 at 2:35 PM / redhat-cve-advisories
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 9, 2024 at 4:40 PM / nvd
Exploitation in the Wild

Attacks in the wild have been reported by BleepingComputer. See article

Oct 9, 2024 at 5:38 PM / BleepingComputer
Trending

This CVE started to trend in security discussions

Oct 9, 2024 at 9:24 PM
Static CVE Timeline Graph

Affected Systems

Mozilla/firefox_esr
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

Mozilla Advisory
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2024
Oracle Id: linuxbulletinoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Oracle Linux Risk Matrix (Revision: 1 Published on 2024-10-15) CVE-2024-3596 CVSS Base Score :9.0 CVSS Vector :CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Product :

References

Mozilla Foundation Security Advisory 2024-52
Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 Mozilla Id: mfsa2024-52 Release Date: 2024-10-10 Impact Critical CVE Information CVE-2024-9680 - Use-after-free in Animation timeline An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. Bug 1923344 : https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
Mozilla Foundation Security Advisory 2024-51
Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1 Mozilla Id: mfsa2024-51 Release Date: 2024-10-09 Impact Critical CVE Information CVE-2024-9680 - Use-after-free in Animation timeline An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. Bug 1923344 : https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
CISA Added Fortinet FortiManager Vulnerability to its Known Exploitable Vulnerabilities Catalog (CVE-2024-47575)
Fortinet informed in the advisory that the vulnerability is used to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. As per the advisory, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials, and configurations of the managed devices.”
See 9 more references

News

oracle_linux ELSA-2024-9554: ELSA-2024-9554: firefox security update (IMPORTANT)
Development Last Updated: 11/20/2024 CVEs: CVE-2024-10460 , CVE-2024-10458 , CVE-2024-9680 , CVE-2024-10465 , CVE-2024-10467 , CVE-2024-10463 , CVE-2024-10462 , CVE-2024-10464 , CVE-2024-10459 , CVE-2024-10461 , CVE-2024-10466
AlmaLinux 9 : thunderbird (ALSA-2024:9552)
The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2024:9552 advisory. The remote AlmaLinux host is missing one or more security updates.
alma_linux ALSA-2024:9554: ALSA-2024:9554: firefox security update (High)
Development Last Updated: 11/19/2024 CVEs: CVE-2024-10460 , CVE-2024-10458 , CVE-2024-9680 , CVE-2024-10465 , CVE-2024-10467 , CVE-2024-10463 , CVE-2024-10462 , CVE-2024-10464 , CVE-2024-10459 , CVE-2024-10461 , CVE-2024-10466
Last Week in Security - 2024-11-18
The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices.
[ALSA-2024:9554] Important: firefox security update
* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462) * firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)
See 413 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI