Windows Downgrade Attack Dangers Presenting Patched Systems to Outdated Vulnerabilities
As per Microsoft’s statement, security updates are in progress to fix two vulnerabilities that could be exploited to conduct downgrade attacks against the Windows update architecture, thus substituted current versions of the OS files with older editions.
Here are the vulnerabilities –
- CVE-2024-38202 (CVSS score: 7.3) – Elevation of Privilege Vulnerability in Windows Update Stack
- CVE-2024-21302 (CVSS score: 6.7) – Elevation of Privilege Vulnerability in Windows Secure Kernel Mode
SafeBreach Labs researcher Alon Leviev is credited with the discovery and reportage of these flaws, which were presented at Black Hat USA 2024 and DEF CON 32.
CVE-2024-38202, originating from the Windows Backup component, enables an “attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS),” as stated by the tech company.
Nonetheless, the company clarified that for an attacker to exploit the flaw, they need to convince an Administrator or a user with delegated permissions to execute a system restore, an action that indirectly triggers the vulnerability.
The second vulnerability is centered on a scenario of privilege escalation in Windows systems that uphold VBS, effectively enabling a malicious entity to swap current Windows system files with outdated variants.
The repercussions of CVE-2024-21302 are such that it could be weaponized to reintroduce formerly resolved security vulnerabilities, evade some VBS features, and exfiltrate data safeguarded by VBS.
Leviev, the creator of a tool called Windows Downdate, mentioned that it could convert a “fully patched Windows machine vulnerable to thousands of past vulnerabilities, transforming resolved vulnerabilities into zero-days, rendering the ‘fully patched’ label meaningless on any Windows machine globally.”
Additionally, Leviev highlighted that the tool could “maneuver the Windows Update procedure to develop fully concealed, imperceptible, persistent, and irreversible downgrades on essential OS components—permitting privilege escalation and bypassing security mechanisms.”
Moreover, Windows Downdate can sidestep verification measures such as integrity checks and Trusted Installer enforcement, thereby enabling the downgrading of crucial OS components like dynamic link libraries (DLLs), drivers, and NT kernel.
Furthermore, these issues could be exploited to downgrade Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor to expose previous privilege escalation vulnerabilities, as well as deactivate VBS and features like Hypervisor-Protected Code Integrity (HVCI).
Consequently, a completely patched Windows setup could fall prey to numerous past vulnerabilities and convert addressed issues into zero-day threats.
These downgrades have an additional repercussion wherein the system status shows as fully updated, while simultaneously blocking future updates installation and evading detection by recovery and scanning utilities.
“The downgrade attack I successfully executed on the virtualization stack in Windows was feasible due to a design flaw enabling less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings,” Leviev highlighted.
“This was quite unexpected, considering the introduction of Microsoft’s VBS characteristics in 2015, implying that the downgrade attack vector I found has been present for nearly a decade.”
About Author
