Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Absolutely patched Home windows 11 programs are susceptible to assaults that enable an adversary to put in customized rootkits that may neutralize endpoint safety mechanisms, cover malicious processes and community exercise, keep persistence and stealth on a compromised system, and extra.

The assault includes a Home windows OS downgrade attack approach that SafeBreach safety researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit instrument known as Home windows Downdate. Leviev confirmed how an attacker, with admin-level entry to a system, may tamper with the Home windows Replace course of and revert totally patched Home windows parts, together with dynamic hyperlink libraries, drivers, and the kernel, again to a beforehand susceptible state.

Home windows OS Downgrade Assault

As a part of the demo, the researcher showed how the attack would work even in conditions the place a corporation may need enabled virtualization-based safety (VBS) to guard crucial OS parts. As a part of the demo, Leviev downgraded VBS options like Safe Kernel and Credential Guard’s Remoted Consumer Mode Course of to reveal privilege escalation vulnerabilities in them that Microsoft had beforehand already addressed.

“I used to be in a position to make a completely patched Home windows machine prone to previous vulnerabilities, turning mounted vulnerabilities unfixed and making the time period ‘totally patched’ meaningless on any Home windows machine on this planet,” Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the corporate after discovering and exploiting them as a part of his assault chain. Nevertheless, Microsoft has up to now not addressed the flexibility for an attacker with admin entry to abuse the Home windows Replace course of itself to downgrade crucial OS parts again to insecure states.

Not a Safety Vulnerability?

The problem has to do with Microsoft refusing to think about the flexibility for an admin-level person to realize kernel code execution as crossing a safety boundary. “Microsoft did repair each vulnerability that resulted from crossing an outlined safety boundary,” Leviev tells Darkish Studying. “Crossing from administrator to the kernel isn’t thought of a safety boundary, and therefore it was not mounted.”

To point out why that is still a risk, Leviev on Oct. 26 released details of a new Windows downgrade attack he developed, the place he used his Home windows Downdate instrument to revive a driver signature enforcement (DSE) bypass assault that Microsoft had mitigated with its patch for CVE-2024-21302. He confirmed how an attacker may abuse the problem to load unsigned kernel drivers and deploy bespoke rootkits.

“The ‘ItsNotASecurityBoundary’ DSE bypass belongs to a brand new class of flaws often called False File Immutability (FFI)” that researchers at Elastic Security reported earlier this yr, Leviev wrote in his Oct. 26 publish. “This class exploits incorrect assumptions about file immutability — particularly, that blocking write entry sharing makes a file immutable.”

Leviev says that each one he needed to do to execute the assault was to determine the precise OS module (CI.dll) to which Microsoft had utilized the patch for CVE-2024-21302, after which use his Downdate instrument to downgrade the module again to its unpatched model.  

“Downgrading solely ci.dll to its unpatched model works nicely in opposition to a completely patched Home windows 11 23h2 machine,” Leviev wrote on Oct. 26. The researcher added he was in a position to exploit the problem even when VBS was enabled, with and with out UEFI lock for securing the boot process and firmware configuration. “To completely mitigate the assault, VBS must be enabled with UEFI lock and the ‘Obligatory’ flag. In any other case, it will be attainable for an attacker to disable VBS, downgrade ci.dll, and efficiently exploit the flaw,” he famous.

In an emailed remark, Tim Peck, senior risk researcher at Securonix, described the Home windows Downdate assaults as profiting from Home windows not at all times validating the model numbers of its DLLs when loading them. This allows “attackers to trick the working system (OS) into utilizing outdated recordsdata which can be extra prone to exploitation,” he defined. “If the attacker is ready to downgrade Home windows Defender, particularly with regard to safety updates, they’d have free rein to execute malicious recordsdata or ways that will usually have been caught.”

Microsoft Is Now Engaged on a Repair

A Microsoft spokesman famous in an e-mail that the corporate is “actively creating mitigations to guard in opposition to these dangers,” with out specifying what measures it is likely to be taking or after they can be obtainable. The corporate is completely investigating replace improvement and compatibility improvement, he wrote.

“We’re creating a safety replace that can revoke outdated, unpatched VBS system recordsdata to mitigate this risk,” he wrote. “As a result of complexity of blocking such a big amount of recordsdata, rigorous testing is required to keep away from integration failures or regressions.”

Microsoft will even proceed to replace info round CVE-2024-21302, he wrote, with further mitigation or related danger discount steering as they grow to be obtainable.