Exploiting the Update Process
At the recent Black Hat 2024 conference, SafeBreach security researcher Alon Leviev brought to light a concerning discovery: two zero-day vulnerabilities that could be exploited in downgrade attacks, effectively "unpatching" fully updated Windows 10, Windows 11, and Windows Server systems. This revelation has raised alarms within the cybersecurity community, as it reintroduces old vulnerabilities that could compromise system integrity.
Leviev's research revealed that the Windows update process could be manipulated to downgrade critical operating system components, such as dynamic link libraries (DLLs) and the NT Kernel. Alarmingly, even after these components had been rolled back, the Windows Update system reported that the OS was fully updated. Recovery and scanning tools were unable to detect any discrepancies, creating a deceptive facade of security.
By leveraging these zero-day vulnerabilities, Leviev demonstrated the ability to downgrade essential security features like Credential Guard's Secure Kernel and Isolated User Mode Process, as well as Hyper-V's hypervisor. This action exposed previously mitigated privilege escalation vulnerabilities, which could be exploited by malicious actors.
Leviev stated, "I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS's UEFI locks have been bypassed without physical access." This groundbreaking finding suggests that a fully patched Windows machine could be rendered vulnerable to thousands of past exploits, effectively nullifying the concept of being "fully patched."
Moreover, Leviev emphasized the stealthy nature of this downgrade attack, noting that it remains undetectable by endpoint detection and response (EDR) solutions. The Windows Update system's misleading reports of a fully updated device further complicate the detection of such vulnerabilities.
Ongoing Developments
In a coordinated effort, Microsoft has issued advisories regarding these unpatched zero-days, identified as CVE-2024-38202 and CVE-2024-21302, providing mitigation strategies until a permanent fix can be implemented. The nature of downgrade attacks allows threat actors to force an updated device to revert to older software versions, thereby reactivating vulnerabilities that had previously been addressed.
Leviev's "Windows Downdate" attack was unveiled six months after he responsibly disclosed the vulnerabilities to Microsoft in February. In a statement, Microsoft acknowledged the ongoing efforts to develop a fix for the vulnerabilities associated with the Windows Update Stack Elevation of Privilege and Windows Secure Kernel Mode Elevation of Privilege. These vulnerabilities could allow attackers to elevate privileges, create malicious updates, and replace system files with outdated versions.
According to Microsoft, the CVE-2024-38202 vulnerability permits attackers with basic user privileges to "unpatch" previously mitigated security flaws or bypass VBS features. Meanwhile, those with administrative privileges could exploit the CVE-2024-21302 flaw to replace critical system files with older, vulnerable iterations.
While Microsoft has stated that it is not currently aware of any active exploitation of these vulnerabilities, the company has advised users to implement the recommendations outlined in the advisories released. Leviev's comments underscore the potential ramifications of these findings, not only for Microsoft Windows—widely regarded as the most utilized desktop operating system—but also for other operating systems that may be vulnerable to similar downgrade attacks.