SafeBreach security researcher Alon Leviev has unveiled a groundbreaking tool known as Windows Downdate, designed to facilitate downgrade attacks that can reintroduce previously patched vulnerabilities into current Windows 10, Windows 11, and Windows Server systems. This tool allows malicious actors to compel updated devices to revert to older software versions, thereby exposing them to security flaws that can be exploited.
Tool Overview
Windows Downdate is available as an open-source program built on Python, as well as a pre-compiled executable for Windows users. It enables the downgrading of various system components, including the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, among others. Leviev has provided several practical examples demonstrating how to revert these components to their base versions, effectively reinstating vulnerabilities that were previously patched.
“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets, and more,” Leviev elaborated. He also highlighted that the tool offers straightforward examples for reverting patches related to notable vulnerabilities such as CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault.
Undetectable Exploits
During his presentation at Black Hat 2024, Leviev disclosed that the Windows Downdate tool exploits vulnerabilities CVE-2024-21302 and CVE-2024-38202. One of the most alarming aspects of this tool is its undetectability; it operates without being flagged by endpoint detection and response (EDR) solutions, while Windows Update continues to indicate that the system remains up-to-date, despite the downgrades.
“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev stated. This capability effectively transforms a fully patched Windows machine into one vulnerable to a multitude of past exploits, rendering the term “fully patched” virtually meaningless in the context of Windows security.
Microsoft’s Response
In response to these developments, Microsoft released a security update (KB5041773) on August 7 to address the CVE-2024-21302 vulnerability related to Windows Secure Kernel Mode privilege escalation. However, a patch for CVE-2024-38202, which pertains to Windows Update Stack elevation of privilege, has yet to be issued. Until a fix is made available, Microsoft recommends that customers implement protective measures outlined in a recent security advisory.
- Configure “Audit Object Access” settings to monitor file access attempts.
- Restrict update and restore operations.
- Utilize Access Control Lists to limit file access.
- Audit privileges to identify potential exploitation attempts.
