In a proactive move, Microsoft has announced its commitment to developing security updates aimed at addressing two critical vulnerabilities within the Windows operating system. These vulnerabilities pose a risk of downgrade attacks, which could potentially allow malicious actors to replace current operating system files with outdated versions.
Identified Vulnerabilities
The vulnerabilities identified are:
- CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
- CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
The discovery of these flaws is credited to Alon Leviev, a researcher from SafeBreach Labs, who presented his findings at both Black Hat USA 2024 and DEF CON 32. The first vulnerability, CVE-2024-38202, is linked to the Windows Backup component and allows an attacker with basic user privileges to potentially reintroduce previously mitigated vulnerabilities or bypass certain features of Virtualization Based Security (VBS).
However, exploiting this vulnerability requires the attacker to persuade an Administrator or a user with delegated permissions to perform a system restore, which inadvertently activates the flaw. The second vulnerability, CVE-2024-21302, also pertains to privilege escalation in Windows systems that support VBS, enabling an adversary to replace current Windows system files with older versions.
Implications and Risks
The implications of CVE-2024-21302 are significant, as it could be weaponized to reintroduce previously addressed security flaws, bypass VBS features, and exfiltrate data protected by VBS. Leviev elaborated on a tool he developed, named Windows Downdate, which can transform a fully patched Windows machine into one vulnerable to numerous past exploits. This tool effectively undermines the integrity of the operating system by allowing for undetectable downgrades of critical components, thereby elevating privileges and circumventing security measures.
Windows Downdate can bypass essential verification steps, including integrity checks and Trusted Installer enforcement, making it feasible to downgrade vital operating system components such as dynamic link libraries (DLLs), drivers, and the NT kernel. The ramifications of these vulnerabilities extend further, as they could facilitate downgrades of Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor, exposing systems to previously addressed privilege escalation vulnerabilities and disabling VBS and related features like Hypervisor-Protected Code Integrity (HVCI).
Consequently, a fully patched Windows system could be rendered susceptible to thousands of past vulnerabilities, effectively transforming resolved issues into zero-day threats. Notably, these downgrades can mislead the operating system into reporting that it is fully updated, while simultaneously obstructing future updates and hindering detection by recovery and scanning tools.
Leviev remarked on the surprising nature of this downgrade attack, highlighting a design flaw that permits less privileged virtual trust levels to update components within more privileged levels. This flaw has persisted for nearly a decade since the introduction of Microsoft’s VBS features in 2015.
For those interested in staying informed about such developments, following our updates on Twitter and LinkedIn will provide access to exclusive content and insights.