SafeBreach security researcher Alon Leviev revealed at Black Hat 2024 that two zero-days could be exploited in downgrade attacks to "unpatch" fully updated Windows 10, Windows 11, and Windows Server systems and reintroduce old vulnerabilities.
Microsoft issued advisories on the two unpatched zero-days (tracked as CVE-2024-38202 and CVE-2024-21302) in coordination with the Black Hat talk, providing mitigation advice until a fix is released.
In downgrade attacks, threat actors force an up-to-date target device to roll back to older software versions, reintroducing vulnerabilities that can be exploited to compromise the system.
Leviev discovered that the Windows update process could be compromised to downgrade critical OS components, including dynamic link libraries (DLLs) and the NT Kernel. Even though all of these components were now out of date, when checking with Windows Update, the OS reported that it was fully updated, with recovery and scanning tools unable to detect any issues.
By exploiting the zero-day vulnerabilities, he could also downgrade Credential Guard's Secure Kernel and Isolated User Mode Process and Hyper-V's hypervisor to expose past privilege escalation vulnerabilities.
"I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS's UEFI locks have been bypassed without physical access," Leviev revealed.
"As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term "fully patched" meaningless on any Windows machine in the world."
As Leviev said, this downgrade attack is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and it's also invisible since Windows Update reports that a device is fully updated (despite being downgraded).
No patches after six months
Leviev unveiled his "Windows Downdate" downgrade attack six months after reporting the vulnerabilities to Microsoft in February as part of a coordinated responsible disclosure process.
Microsoft said today that it's still working on a fix for the Windows Update Stack Elevation of Privilege (CVE-2024-38202) and Windows Secure Kernel Mode Elevation of Privilege (CVE-2024-21302) vulnerabilities used by Leviev to elevate privileges, create malicious updates, and reintroduce security flaws by replacing Windows system files with older versions.
As the company explains, the CVE-2024-38202 Windows Backup privilege escalation vulnerability enables attackers with basic user privileges to "unpatch" previously mitigated security bugs or bypass Virtualization Based Security (VBS) features. Attackers with admin privileges can exploit the CVE-2024-21302 privilege escalation flaw to replace Windows system files with outdated and vulnerable versions.
Microsoft said it's not currently aware of any attempts to exploit this vulnerability in the wild and advised implementing recommendations shared in two security advisories published today to help reduce the risk of exploitation until a security update is released.
"I was able to show how it was possible to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term 'fully patched' meaningless on any Windows machine in the world," Leviev said.
"We believe the implications are significant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to other OS vendors that may potentially be susceptible to downgrade attacks."
Update August 07, 17:27 EDT: A Microsoft spokesperson sent the following statement after the story was published.
We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.
Microsoft also told BleepingComputer that they are working on an update that will revoke outdated, unpatched Virtualization Based Security (VBS) system files to mitigate the attack. However, it will take time to test this update due to the large number of files that will be impacted.
Comments
G2852 - 3 months ago
Yesterday, I had a frustrating experience with my administrator account. It kept saying that Windows was fully updated, but I noticed it hadn't received any updates in a while besides virus definitions. When I created a local non-admin account, it found several updates immediately, including a “fixed or fixing” update. I was on the BETA channel, which is supposed to be the recommended stable.
After the update, that took an extremely long time to install, my admin account acted like it was brand new when I logged back in. It even started installing an older update that I had already completed months ago. To make things worse, I found out my Insider BETA was disabled, and it said my Microsoft account wasn’t linked, even though it was originally. I had to re-enable it, and after a restart, it started downloading the Insider Preview Channel update again.
Now, my start menu doesn’t work, showing a large blue critical error window. I did a scandisk, dism restore health, chkdsk, and it repaired a few things, but I still cannot type in the search bar, and when I try to leave beta feedback, the text box scrambles anything I try to type. On top of that, my antivirus blocked two Asus Armoury Crate Vulnerability Drivers, which I had installed for my motherboard.
Honestly, I’m fed up with Microsoft. I’ve always been a Windows fan, but the last two years have been a complete joke. Instead of adding more features, they should spend a year focusing on fixing all the security flaws. I’m only on beta so I can get the newest security updates, because who wants to stay on the public stable release when you see articles stating ‘Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs’.
NoneRain - 3 months ago
Ngl, stop reading after " I was on the BETA channel, which is supposed to be the recommended stable"
electrolite - 3 months ago
lol, I stopped right there as well. Beta channel is stable? Do you even know what a beta release build is? Seriously go back to school.
buzzword - 3 months ago
The BETA channel is only the "recommended stable" compared to the developer channel, is been more fully tested and there's a lower risk of errors and crashes but it's still a BETA channel, not *fully* tested and not intended for production use. You use at your own risk, bugs *are* present, the purpose of a beta is user testing to find and report them. What happened to you is what beta releases are intended to uncover, you don't moan and bitch about it, you restore from a backup and report the bug (you have a backup don't you? that's beta testing 101.) You should not be in the insiders program if you don't understand what a beta release is. Especially, *especially* for an operating system.
G2852 - 3 months ago
You all make valid points, and I could have expressed myself better. Whenever I use the public stable version of Windows, I end up facing various issues, often requiring a system format every couple of months. However, when I use the Beta channel, my computer runs smoothly for a very long time, with only a few minor bugs. I've never encountered anything as severe as this rollback of important updates.
This issue isn't limited to the Beta channel either. My partner's Windows laptop, a July 2024 model came with the public 24H2. Recently, it was rolled back to 23H2, and no updates were available until I created a local non-admin account, which then found 24H2 update. I didn’t think much of it until I seen this article.
Then you see other articles of the Tuesday Monthly Security Patches that don’t come out with only a few number of fixes but over 140, that’s huge amount.
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2024-patch-tuesday-fixes-150-security-flaws-67-rces/amp/
https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2024-patch-tuesday-fixes-142-flaws-4-zero-days/
Last year while using the public stable release I was constantly being cyber attacked to a point I started to wonder if I'm better off using the Beta channel rather than the public stable version. Logically, the public stable version should be more secure, but I've experienced more security issues with it compared to the Beta. This is why, to me personally, it felt like a more stable release compared to the public version.
Anyway, my apologies for the original post; next time I'll keep my thoughts to myself.
johnlsenchak - 3 months ago
Wouldn't this be a "security bypass " flaw instead of a escalation of elevated privileges?
leexgx - 3 months ago
"Wouldn't this be a "security bypass " flaw instead of a escalation of elevated privileges? "
It's both as first one drops windows files to older version (under a Normal user account, admin account not needed) then it can it can use previous working exploit/bugs to gain elevated privileges to do what ever it wants
electrolite - 3 months ago
And that right there is the one exploit to rule them all. Imagine resurrecting nimda back from the dot com era grave! (joking as that was many OS's ago, so it is unlikely. But given how Windows carries so many legacy modules to the next OS version e.g SMB v1 and lord knows how many countless others, there is no limit to what can be brought back)
tmontney - 3 months ago
""Wouldn't this be a "security bypass " flaw instead of a escalation of elevated privileges? "
It's both as first one drops windows files to older version (under a Normal user account, admin account not needed) then it can it can use previous working exploit/bugs to gain elevated privileges to do what ever it wants "
A standard user cannot modify items in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" nor set the "Trusted Installer" service's startup type. The issue is that neither an Administrator nor NT SYSTEM have control over the Windows Update process. The author was looking for a way to take control of this process without triggering EDR. This registry key is owned by the local Administrators group, instead of Trusted Installer. This gives you a way to control the process without escalating to Trusted Installer.
Long story short, this requires Administrative privilege.
DrkKnight - 3 months ago
Windows 11
So much for a better , more secure operating system huh? has just as many holes as those before it. Pfft
NoneRain - 3 months ago
Win11 efforts are at low level stuff. They're using CPU instructions and virtualization to protect kernel, boot and some parts of memory.
In this case, I do think you would need admin privileges to downgrade the system. It's a route too risky to be functional in a large scale.... There're a lot of bells that would go off if a machine is downgraded in a controlled environment.
DrkKnight - 3 months ago
Not according to this article here : https://www.howtogeek.com/windows-update-can-be-hijacked-to-undo-security-patches/
"Using a custom tool called Windows Downdate, he managed to downgrade system files, drivers, and the Windows kernel (the core program which has full control over the operating system) on Windows 10 and 11. "
redwolfe_98 - 2 months ago
there are some mitigations that can be used:
https://support.microsoft.com/en-us/topic/kb5042562-guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3