SafeBreach security researcher Alon Leviev revealed at Black Hat 2024 that two zero-days could be exploited in downgrade attacks to “unpatch” fully updated Windows 10, Windows 11, and Windows Server systems and reintroduce old vulnerabilities.
Microsoft issued advisories on the two unpatched zero-days (tracked as CVE-2024-38202 and CVE-2024-21302) in coordination with the Black Hat talk, providing mitigation advice until a fix is released.
In downgrade attacks, threat actors force an up-to-date target device to roll back to older software versions, reintroducing vulnerabilities that can be exploited to compromise the system.
Leviev discovered that the Windows update process could be compromised to downgrade critical OS components, including dynamic link libraries (DLLs) and the NT Kernel. Even though all of these components were now out of date, when checking with Windows Update, the OS reported that it was fully updated, with recovery and scanning tools unable to detect any issues.
By exploiting the zero-day vulnerabilities, he could also downgrade Credential Guard’s Secure Kernel and Isolated User Mode Process and Hyper-V’s hypervisor to expose past privilege escalation vulnerabilities.
“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev revealed.
“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”
As Leviev said, this downgrade attack is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and it’s also invisible since Windows Update reports that a device is fully updated (despite being downgraded).
No patches after six months
Leviev unveiled his “Windows Downdate” downgrade attack six months after reporting the vulnerabilities to Microsoft in February as part of a coordinated responsible disclosure process.
Microsoft said today that it’s still working on a fix for the Windows Update Stack Elevation of Privilege (CVE-2024-38202) and Windows Secure Kernel Mode Elevation of Privilege (CVE-2024-21302) vulnerabilities used by Leviev to elevate privileges, create malicious updates, and reintroduce security flaws by replacing Windows system files with older versions.
As the company explains, the CVE-2024-38202 Windows Backup privilege escalation vulnerability enables attackers with basic user privileges to “unpatch” previously mitigated security bugs or bypass Virtualization Based Security (VBS) features. Attackers with admin privileges can exploit the CVE-2024-21302 privilege escalation flaw to replace Windows system files with outdated and vulnerable versions.
Microsoft said it’s not currently aware of any attempts to exploit this vulnerability in the wild and advised implementing recommendations shared in two security advisories published today to help reduce the risk of exploitation until a security update is released.
“I was able to show how it was possible to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Leviev said.
“We believe the implications are significant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to other OS vendors that may potentially be susceptible to downgrade attacks.”
Update August 07, 17:27 EDT: A Microsoft spokesperson sent the following statement after the story was published.
We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.
Microsoft also told BleepingComputer that they are working on an update that will revoke outdated, unpatched Virtualization Based Security (VBS) system files to mitigate the attack. However, it will take time to test this update due to the large number of files that will be impacted.
