CVE-2024-29210 in Phish Alert Button for Outlook
Summary
by MITRE • 05/07/2024
A local privilege escalation (LPE) vulnerability has been identified in Phish Alert Button for Outlook (PAB), specifically within its configuration management functionalities. This vulnerability allows a regular user to modify the application's configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges.
The issue stems from improper permission settings on the application's configuration file, which is stored in a common directory accessible to all users. This file includes critical parameters, such as the update server URL. By default, the application does not enforce adequate access controls on this file, allowing non-privileged users to modify it without administrative consent.
An attacker with regular user access can alter the update server URL specified in the configuration file to point to a malicious server. When the application performs its next update check, it will contact the attacker-controlled server. If the system is also vulnerable to CVE-2024-29209, the attacker can deliver a malicious update package that, when executed, grants them elevated privileges.
Impact: This vulnerability can lead to a regular user executing code with administrative privileges. This can result in unauthorized access to sensitive data, installation of additional malware, and a full takeover of the affected system.
Affected Products: Phish Alert Button (PAB) for Outlook versions 1.10.0-1.10.11 Second Chance Client versions 2.0.0-2.0.9 PIQ Client versions 1.0.0-1.0.15
Remediation: KnowBe4 has released a patch that corrects the permission settings on the configuration file to prevent unauthorized modifications. Automated updates will be pushed to address this issue. Users of affected versions should verify the latest version is applied and, if not, apply the latest updates provided by KnowBe4.
Workarounds: Manually set the correct permissions on the configuration file to restrict write access to administrators only.
Credits: This vulnerability was discovered by Ceri Coburn at Pen Test Partners, who reported it responsibly to the vendor.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2024
The vulnerability described in CVE-2024-29210 represents a critical local privilege escalation flaw within Phish Alert Button for Outlook and related security client applications. This issue specifically targets the configuration management subsystem where improper access controls permit regular users to modify critical application parameters. The vulnerability manifests through the configuration file's placement in a publicly accessible directory without adequate permission restrictions, creating a pathway for unauthorized modification of essential update server parameters. The flaw directly aligns with CWE-276, which addresses improper permissions for critical system resources, and demonstrates how insufficient access control mechanisms can enable privilege escalation attacks.
The technical exploitation of this vulnerability begins with a regular user modifying the application's configuration file to redirect update checks to a malicious server. This configuration file contains the update server URL parameter that the application uses during routine update operations. The lack of proper file permissions allows any user to write to this critical file, bypassing the intended administrative controls. When the application performs its next update check, it contacts the attacker-controlled server instead of the legitimate update source. This initial compromise sets the stage for the subsequent exploitation phase that leverages CVE-2024-29209, creating a chained attack vector that escalates privileges through malicious update delivery mechanisms.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise. An attacker with regular user access can execute code with administrative privileges, gaining unrestricted access to sensitive data, system resources, and network capabilities. This represents a significant threat to enterprise security environments where phishing protection tools are deployed, as these applications often run with elevated privileges and have access to critical system components. The vulnerability affects multiple product lines including PAB for Outlook, Second Chance Client, and PIQ Client, indicating a widespread exposure across KnowBe4's security tool suite and potentially affecting numerous enterprise deployments.
The remediation approach implemented by KnowBe4 addresses the root cause through proper file permission adjustments that restrict write access to administrative users only. This patch mechanism directly addresses the underlying access control failure that enabled the vulnerability. The automated update delivery ensures that affected systems receive protection without requiring manual intervention, though organizations should verify successful deployment through system auditing. The workaround solution of manually setting appropriate permissions provides an immediate mitigation path for environments where automated updates cannot be deployed immediately. This approach aligns with standard security practices for addressing access control vulnerabilities and demonstrates the importance of proper file system permissions in preventing privilege escalation attacks.
The vulnerability discovery and reporting process by Ceri Coburn at Pen Test Partners exemplifies responsible disclosure practices that enable vendors to develop and deploy patches before public exploitation occurs. This vulnerability demonstrates the critical importance of proper access control implementation in security applications, as these tools often operate with elevated privileges and contain configuration parameters that can be exploited to gain system control. The relationship between CVE-2024-29210 and CVE-2024-29209 illustrates how seemingly isolated vulnerabilities can combine to create more severe attack vectors, emphasizing the need for comprehensive security assessments that consider multi-stage attack scenarios. The affected product versions span multiple releases, indicating that this access control flaw existed across several iterations of the security client applications, highlighting the importance of regular security reviews and permission audits in software development lifecycle processes.