Full Report
The backdoor can execute commands and lets attackers download additional modules onto the victim’s machine, ESET research finds
Analysis Summary
# Vulnerability: Chained Zero-Day Exploitation in Firefox/Thunderbird and Windows Leading to RomCom Backdoor Installation
## CVE Details
- CVE ID: CVE-2024-9680 (Firefox/Thunderbird/Tor Browser Use-After-Free)
- CVE ID: CVE-2024-49039 (Windows Privilege Escalation)
- CVSS Score: *Score and severity are not explicitly provided in the text, but the chaining of two zero-days leading to remote code execution/backdoor installs suggests a Critical or High severity.*
- CWE: Use-After-Free (CWE for CVE-2024-9680); Privilege Escalation (CWE for CVE-2024-49039)
## Affected Systems
- Products: Mozilla Firefox, Mozilla Thunderbird, Tor Browser, Windows operating system (specific versions not listed, but implied they are susceptible to the listed CVEs prior to patching).
- Versions: Versions of Firefox, Thunderbird, and Tor Browser prior to the October 9th, 2024 patch. Versions of Windows prior to the November 12th, 2024 patch.
- Configurations: Exploitation chains code execution within the browser context, then leverages the Windows flaw to escape the sandbox and run arbitrary code in the context of the logged-in user.
## Vulnerability Description
Two zero-day vulnerabilities were chained together by the RomCom threat actor in a zero-click attack:
1. **CVE-2024-9680 (Browser Flaw):** A Use-After-Free (UAF) bug in Firefox, Thunderbird, and Tor Browser that allows for code execution within the restricted context of the browser.
2. **CVE-2024-49039 (Windows Flaw):** A privilege escalation bug in Windows that allows code running outside of the browser's sandbox environment to execute.
Chaining these allows an attacker to gain arbitrary code execution with the privileges of the logged-in user without any required user interaction (zero-click).
## Exploitation
- Status: Actively exploited in the wild by the RomCom threat group.
- Complexity: Low (implied by the description of a "zero-click exploit").
- Attack Vector: Network (as it is a zero-click chain); requires the victim to use the affected browser product.
## Impact
- Confidentiality: High (Installation of RomCom backdoor, allowing command execution and module download).
- Integrity: High (Arbitrary code execution allows for system modification).
- Availability: Medium to High (Depends on subsequent actions taken by the RomCom backdoor).
## Remediation
### Patches
- **CVE-2024-9680 (Browser):** Mozilla patched this vulnerability on October 9th, 2024. Users must update Firefox, Thunderbird, and Tor Browser to the patched versions.
- **CVE-2024-49039 (Windows):** Microsoft released a patch for this vulnerability on November 12th, 2024. Users must apply the corresponding Windows security updates.
### Workarounds
- No specific workarounds were detailed, but limiting use of affected browsers or running with restricted user privileges (if possible) could reduce risk until patching is complete.
## Detection
- Indicators of Compromise (IOCs): Installation of the RomCom backdoor, which is capable of executing commands and downloading additional modules.
- Detection methods and tools: ESET research suggests monitoring for activity associated with the RomCom threat group, particularly the execution of post-exploitation payloads following browser exploitation.
## References
- Vendor Advisories:
- Mozilla Advisory for CVE-2024-9680 (Published Oct 9, 2024)
- Microsoft Advisory for CVE-2024-49039 (Published Nov 12, 2024)
- Relevant links:
- Full ESET blogpost detailing the chain: hxxps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/