Windows Downgrade Attack Threatens to Expose Patched Systems to Old Vulnerabilities

August 08, 2024Ravi LakshmananSecurity / Vulnerabilities in Windows

Microsoft said it is developing security updates to address two vulnerabilities that it said could be exploited to launch Windows downgrade attacks and replace current versions of operating system files with older versions.

The weaknesses are listed below –

  • CV-2024-38202 (CVSS Score: 7.3) – Elevation of Privilege Vulnerability in Windows Update Package
  • CV-2024-21302 (CVSS Score: 6.7) – Kernel Secure Mode Windows Elevation of Privilege Vulnerability

Credit for discovering and reporting the flaws goes to SafeBreach Labs researcher Alon Leviev, who presented the findings in Black Hat USA 2024 And Def Con 32.

Cyber ​​Security

The tech giant said CVE-2024-38202, which is rooted in the Windows Backup component, allows “an attacker with root user privileges to reintroduce previously mitigated vulnerabilities or circumvent certain Virtualization Based Security (VBS) features.”

However, she noted that an attacker trying to take advantage of the vulnerability would have to convince a system administrator or user with delegated permissions to perform a system restore which would inadvertently trigger the vulnerability.

The second vulnerability also concerns a privilege escalation condition on Windows systems that support VBS, effectively allowing an attacker to replace current versions of Windows system files with older versions.

The consequences of CVE-2024-21302 are that it can be weaponized to reintroduce previously addressed security flaws, bypass some VBS features, and exfiltrate data protected by VBS.

Windows Downgrade Attack

Leviev, who detailed a tool he called Windows Downdate, He said It can be used to turn a “fully patched Windows PC into a vulnerability to thousands of previously exploited vulnerabilities, turn fixed vulnerabilities into unpatched vulnerabilities, and make the term ‘fully patched’ meaningless on any Windows PC in the world.”

See also  Apple Weather has experienced a service outage. Here are some alternatives

Leviev added that the tool could “hijack the Windows update process to create undetectable, invisible, persistent, and irreversible updated versions of core operating system components — allowing me to elevate privileges and bypass security features.”

Furthermore, Windows Downdate is able to bypass verification steps, such as integrity checking and trusted installer enforcement, making it possible to effectively downgrade critical operating system components, including dynamic link libraries (DLLs), drivers, and the NT kernel.

Cyber ​​Security

Furthermore, the issues can be exploited to downgrade the isolated user mode process in Credential Guard, Secure Kernel, and Hyper-V’s hypervisor to expose previous privilege escalation vulnerabilities, as well as disable VBS, along with features such as Hypervisor-protected Code Integrity (HVCI).

The end result is that a fully patched Windows system may become vulnerable to thousands of previously installed vulnerabilities, turning fixed flaws into unpatched vulnerabilities.

These downgrades have the additional effect of having the operating system report a full system update, while at the same time preventing future updates from being installed and detected by recovery and scanning tools.

“The downgrade attack I was able to execute on the virtualization cluster within Windows was possible due to a design flaw that allowed lower privileged virtual trust levels/rings to update components in higher privileged virtual trust levels/rings,” Leviev said.

“This was very surprising, given that Microsoft’s VBS features were announced in 2015, meaning the attack surface they discovered had been around for nearly a decade.”

Did you find this article interesting? Follow us on Twitter And LinkedIn To read more of our exclusive content.

Leave a Reply

Your email address will not be published. Required fields are marked *