CVE-2024-29209
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions of KnowBe4's Phish Alert Button for Outlook by exploiting insecure update verification. Attackers can perform DNS spoofing to redirect update requests to malicious servers and deliver crafted update packages. Affected users include those running Phish Alert Button versions 1.10.0-1.10.11, Second Chance Client versions 2.0.0-2.0.9, and PIQ Client versions 1.0.0-1.0.15.
💻 Affected Systems
- Phish Alert Button for Outlook
- Second Chance Client
- PIQ Client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with elevated privileges, enabling data theft, persistent malware installation, and lateral movement within the network.
Likely Case
Targeted attacks against organizations using vulnerable versions, leading to credential theft, data exfiltration, and ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, DNS security controls, and timely patching.
🎯 Exploit Status
Exploitation requires DNS spoofing capability and ability to host malicious update server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest versions from KnowBe4 (specific version numbers not provided in CVE)
Vendor Advisory: https://support.knowbe4.com/hc/en-us/articles/28959755127955-CVE-2024-29209
Restart Required: Yes
Instructions:
1. Verify current version of KnowBe4 software. 2. Ensure automatic updates are enabled. 3. If not updated automatically, manually download and install latest version from KnowBe4 portal. 4. Restart Outlook/affected applications.
🔧 Temporary Workarounds
Use secure corporate networks/VPN
allRoute all update traffic through secure corporate networks or VPN services to prevent DNS spoofing attacks.
🧯 If You Can't Patch
- Disable automatic updates and block outbound connections to update servers at firewall
- Implement DNS security controls like DNSSEC and DNS filtering
🔍 How to Verify
Check if Vulnerable:
Check installed version of KnowBe4 software against affected version ranges: Phish Alert Button 1.10.0-1.10.11, Second Chance Client 2.0.0-2.0.9, PIQ Client 1.0.0-1.0.15Check Version:
Check application settings or About dialog in Outlook add-insVerify Fix Applied:
Verify software version is updated beyond affected ranges and confirm SSL/TLS verification is enforced for update connections📡 Detection & Monitoring
Log Indicators:
- Unusual update server connections
- Failed SSL/TLS certificate validation for update servers
- Update downloads from non-KnowBe4 domains
Network Indicators:
- DNS queries for update servers redirected to suspicious IPs
- HTTP/HTTPS traffic to non-standard update endpoints
- Large update downloads from unknown sources
SIEM Query:
source="*knowbe4*" AND (event="update_failed" OR dest_ip NOT IN [known_knowbe4_ips])