Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems.
This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status.
Downgrading Windows
SafeBreach security researcher Alon Leviev reported the update takeover issue but Microsoft dismissed it saying that it did not cross a defined security boundary, although was possible by gaining kernel code execution as an administrator.
Leviev at the BlackHat and DEFCON security conferences this year demonstrated that the attack was feasible but the problem is not completely fixed, leaving open the door for downgrade/version-rollback attacks.
The researcher published a tool called Windows Downdate, which allows creating custom downgrades and expose a seemingly fully update target system to already fixed vulnerabilities via outdated components, such as DLLs, drivers, and the NT kernel.
"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world" - Alon Leviev
Despite kernel security improving significantly over the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) feature, showing how an attacker could load unsigned kernel drivers to deploy rootkit malware that disables security controls and hides activity that could lead to detecting the compromise.
“In recent years, significant enhancements have been implemented to strengthen the security of the kernel, even under the assumption that it could be compromised with Administrator privileges,” Leviev says.
While the new protections make it more difficult to compromise the kernel, "the ability to downgrade components that reside in the kernel makes things much simpler for attackers," the researcher explains.
Leviev calls his method "ItsNotASecurityBoundary" DSE bypass because it is a downgrade of the ItsNotASecurityBoundary exploit that leverages false file immutablity flaws, a new vulnerability class in Windows identified by Gabriel Landau of Elastic as a way to achieve arbitrary code execution with kernel privileges.
Targeting the kernel
In new research published today, Leviev shows how an attacker with administrator privileges on a target machine could exploit the Windows Update process to bypass DSE protections by downgrading a patched component, even on fully updated Windows 11 systems.
The attack is possible by replacing ‘ci.dll,’ a file responsible for enforcing DSE, with an unpatched version that ignores driver signatures, which essentially sidesteps Windows’ protective checks.
Once the component is downgraded to a vulnerable version, the machine needs to restart, just like during a legitimate update process.
In the video below, the researcher demonstrates how he reverted the DSE patch via a downgrade attack and then exploited the component on a fully patched Windows 11 23H2 machine.
Leviev also describes methods to disable or bypass Microsoft's Virtualization-based Security (VBS) that creates an isolated environment for Windows to protect essential resources and securtiy assets like the secure kernel code integrity mechanism (skci.dll) and authenticated user credentials.
VBS typically relies on protections like UEFI locks and registry configurations to prevent unauthorized changes, but it can be disabled if not configured with max security (“Mandatory” flag) by performing targeted registry key modification.
When partially enabled, key VBS files such as ‘SecureKernel.exe’ can be replaced with corrupt versions that disrupt VBS’s operation and open the way for “ItsNotASecurityBoundary” bypass and to replace 'ci.dll'.
Leviev’s work shows that downgrade attacks are still possible via several pathways, even if they sometimes carry strong privilege prerequisites.
A fix is brewing
While the vulnerabilities exploited for the downgrade attack presented at BlackHat and DEFCON (i.e. CVE-2024-21302 and CVE-2024-38202), Microsoft still has to address the Windows Update takeover issue.
"[...] the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary. Gaining kernel code execution as an Administrator is not considered as crossing a security boundary (not a vulnerability)," Leviev notes.
Until Microsoft corrects the problem, the researcher highlights that security solutions should monitor for and detect downgrade attacks since they continue to pose a significant risk to organizations.
In a statement for BleepingComputer, a Microsoft spokesperson says that the company is "actively developing mitigations to protect against these risks."
However, the process involves "a thorough investigation, update development across all affected versions, and compatibility testing" to make sure that customers are protected and operational disruption is minimized.
The company is developing a security update that mitigates the issue by revoking outdated, unpatched VBS system files. It is unclear when the update will become available since the problem is complex and requires comprehensive testing to avoid integration failures or regressions.
UPDATE [October 27th]: Article edited to remove potential confusion about Microsoft not taking steps to mitigate the issue by adding information from the company, and to clarify that the attack requires administrator privileges.
Comments
PPPPowerbook - 2 weeks ago
<p>Just for the fun folks of this website, there are currently active ways to exploit this if users have the win10 or win11 iso locally on their computer. Everyone knows the path to the "downloads" folder. Admin or no.The files on the ISO are signed. Let's just say that SHGetKnownFolderPath function is your friend. Please fix this MSFT. You claim its not "broken" but it is cause you can do this. Requires some powershell trickery, but can be done. Apple had this issue with the main OS upgrade installer residing in the applications folder after each major upgrade, (As in OS 10.9 to 10.10). After the install it deletes the Installer from the apps folder. As of 10.14 ( 5 years ago) IIRC, you had to elevate to view package contents via the terminal. Less of an issue in a corp environment, but I worry about all the people who still dump drivers on a folder on the root of C: that never get updated.</p>