Scientists Discover Weakness in OS Downgrade Targeting Microsoft Windows Kernel
A modern exploitation method might be utilized to circumvent Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows configurations, leading to potential downgrades of the operating system (OS).
“This workaround permits the loading of unsigned kernel drivers, empowering malicious actors to install tailor-made rootkits that can evade security measures, conceal running processes and network activity, ensure invisibility, among other malicious capabilities,” noted SafeBreach analyst Alon Leviev mentioned in a report relayed to The Hacker News.
The most recent discoveries expand on an earlier examination that identified two elevation of privilege vulnerabilities in the Windows update procedure (CVE-2024-21302 and CVE-2024-38202) that could be leveraged to revert an up-to-date Windows software to a previous version containing unpatched security weaknesses.
The exploit was manifested through a utility named Windows Downdate, which, according to Leviev, could manipulate the Windows Update process to create fully cloaked, enduring, and irreversible downgrades on crucial OS components.
This situation could lead to significant consequences, as it presents attackers with a preferable choice to Bring Your Own Vulnerable Driver (BYOVD) assaults, enabling them to downgrade built-in modules, including the OS kernel itself.
Microsoft subsequently resolved CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, correspondingly, as part of Patch Tuesday updates.
The new technique devised by Leviev utilizes the downgrade utility to revert the “ItsNotASecurityBoundary” DSE bypass patch on a thoroughly updated Windows 11 setup.
ItsNotASecurityBoundary was originally documented by Elastic Security Labs researcher Gabriel Landau in July 2024 along with PPLFault, portraying these as a novel bug category codenamed False File Immutability. Microsoft rectified it earlier in May.
In essence, it exploits a timing issue to substitute a verified certified catalog file with a deceptive version containing an authenticode signature for an uncertified kernel driver, after which the malicious actor instigates the kernel to load the driver.
Microsoft’s code integrity mechanism, applied to validate a file using the kernel mode library ci.dll, then reads the fraudulent security catalog to verify the driver’s signature and load it, authorizing the malicious actor to run arbitrary code in the kernel.
The DSE bypass is accomplished by utilizing the downgrade tool to swap the “ci.dll” library with an obsolete version (10.0.22621.1376.) to reverse the modification introduced by Microsoft.
However, a security hurdle exists that can thwart such a bypass attempt. If Virtualization-Based Security (VBS) operates on the targeted machine, the catalog inspection is executed by the Secure Kernel Code Integrity DLL (skci.dll), not ci.dll.
Nevertheless, it remains important to highlight that VBS is typically configured without a Unified Extensible Firmware Interface (UEFI) Lock. Consequently, an adversary could deactivate it by altering the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry entries.
Even in situations where UEFI lock is activated, the attacker could deactivate VBS by substituting one of the core files with an invalid version. Ultimately, the progression an attacker must undertake to exploit the vulnerability includes –
- Deactivating VBS in the Windows Registry or rendering SecureKernel.exe invalid
- Reverting ci.dll to the unpatched release
- Rebooting the system
- Exploiting ItsNotASecurityBoundary DSE bypass for kernel-level code execution
The only scenario where failure occurs is when VBS is switched on along with a UEFI lock and a “Mandatory” marker, the latter of which results in boot failure if VBS components are corrupted. Manual activation of the Mandatory mode is performed by adjusting a registry setting.
“The Mandatory setting halts the OS loader if the Hypervisor, Secure Kernel, or any dependent modules fail to initialize,” Microsoft emphasizes in its documentation. “Careful consideration is advised before activating this mode, as any malfunction of the virtualization modules will prevent the system from booting.”
Therefore, to fully counteract the exploit, it’s crucial that VBS is engaged with UEFI lock and the Mandatory label enabled. In any other state, it opens doors for an attacker to deactivate the security feature, carry out the DLL substitution, and execute a DSE bypass.
“The primary message […] is that security solutions should aim to identify and thwart downgrade operations even for components that do not trespass defined security boundaries,” Leviev disclosed to The Hacker News.
About Author
