Microsoft said it is developing security updates to address two vulnerabilities that it said could be exploited to launch Windows downgrade attacks and replace current versions of operating system files with older versions.
The weaknesses are listed below –
- CV-2024-38202 (CVSS Score: 7.3) – Elevation of Privilege Vulnerability in Windows Update Package
- CV-2024-21302 (CVSS Score: 6.7) – Kernel Secure Mode Windows Elevation of Privilege Vulnerability
Credit for discovering and reporting the flaws goes to SafeBreach Labs researcher Alon Leviev, who presented the findings in Black Hat USA 2024 And Def Con 32.
The tech giant said CVE-2024-38202, which is rooted in the Windows Backup component, allows “an attacker with root user privileges to reintroduce previously mitigated vulnerabilities or circumvent certain Virtualization Based Security (VBS) features.”
However, she noted that an attacker trying to take advantage of the vulnerability would have to convince a system administrator or user with delegated permissions to perform a system restore which would inadvertently trigger the vulnerability.
The second vulnerability also concerns a privilege escalation condition on Windows systems that support VBS, effectively allowing an attacker to replace current versions of Windows system files with older versions.
The consequences of CVE-2024-21302 are that it can be weaponized to reintroduce previously addressed security flaws, bypass some VBS features, and exfiltrate data protected by VBS.
Leviev, who detailed a tool he called Windows Downdate, He said It can be used to turn a “fully patched Windows PC into a vulnerability to thousands of previously exploited vulnerabilities, turn fixed vulnerabilities into unpatched vulnerabilities, and make the term ‘fully patched’ meaningless on any Windows PC in the world.”
Leviev added that the tool could “hijack the Windows update process to create undetectable, invisible, persistent, and irreversible updated versions of core operating system components — allowing me to elevate privileges and bypass security features.”
Furthermore, Windows Downdate is able to bypass verification steps, such as integrity checking and trusted installer enforcement, making it possible to effectively downgrade critical operating system components, including dynamic link libraries (DLLs), drivers, and the NT kernel.
Furthermore, the issues can be exploited to downgrade the isolated user mode process in Credential Guard, Secure Kernel, and Hyper-V’s hypervisor to expose previous privilege escalation vulnerabilities, as well as disable VBS, along with features such as Hypervisor-protected Code Integrity (HVCI).
The end result is that a fully patched Windows system may become vulnerable to thousands of previously installed vulnerabilities, turning fixed flaws into unpatched vulnerabilities.
These downgrades have the additional effect of having the operating system report a full system update, while at the same time preventing future updates from being installed and detected by recovery and scanning tools.
“The downgrade attack I was able to execute on the virtualization cluster within Windows was possible due to a design flaw that allowed lower privileged virtual trust levels/rings to update components in higher privileged virtual trust levels/rings,” Leviev said.
“This was very surprising, given that Microsoft’s VBS features were announced in 2015, meaning the attack surface they discovered had been around for nearly a decade.”