Windows Downdate tool lets you ‘unpatch’ Windows systems

Teilen:

SafeBreach security researcher Alon Leviev has released his Windows Downdate tool, which can be used for downgrade attacks that reintroduce old vulnerabilities in up-to-date Windows 10, Windows 11, and Windows Server systems.

In such attacks, threat actors force up-to-date targeted devices to revert to older software versions, thus reintroducing security vulnerabilities that can be exploited to compromise the system.

Windows Downdate is available as an open-source Python-based program and a pre-compiled Windows executable that can help downgrade Windows 10, Windows 11, and Windows Server system components.

Leviev has also shared multiple usage examples that allow downgrading the Hyper-V hypervisor (to a two-year-old version), Windows Kernel, the NTFS driver, and the Filter Manager driver (to their base versions), and other Windows components and previously applied security patches.

“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more,” SafeBreach security researcher Alon Leviev explained.

“Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”

ADVERTISING

As Leviev said at Black Hat 2024 when he disclosed the Windows Downdate downgrade attack—which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities—using this tool is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions and Windows Update keeps reporting that the targeted system is up-to-date (despite being downgraded).

“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev said.

“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”

While Microsoft released a security update (KB5041773) to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw on August 7, the company has yet to provide a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.

Until a security update is released, Redmond advises customers to implement recommendations shared in the security advisory published earlier this month to help protect against Windows Downdate downgrade attacks.

Mitigation measures for this issue include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, using Access Control Lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.

Sergiu Gatlan

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
4:16 am, Jan. 23, 2025
Wetter-Symbol 3°C
L: 2° | H: 3°
overcast clouds
Luftfeuchtigkeit: 91 %
Druck: 1005 mb
Wind: 9 mph SW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 8 km
Sonnenaufgang: 7:51 am
Sonnenuntergang: 4:33 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
2° | 3°°C 1 mm 100% 19 mph 89 % 1005 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
5° | 11°°C 1 mm 100% 24 mph 91 % 1003 mb 0 mm/h
Sa. Jan. 25 9:00 pm
Wetter-Symbol
2° | 5°°C 0.25 mm 25% 6 mph 93 % 1011 mb 0.26 mm/h
So. Jan. 26 9:00 pm
Wetter-Symbol
1° | 7°°C 1 mm 100% 15 mph 95 % 1010 mb 0 mm/h
Mo. Jan. 27 9:00 pm
Wetter-Symbol
6° | 9°°C 1 mm 100% 27 mph 89 % 993 mb 0 mm/h
Today 6:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 7 mph 89 % 1005 mb 0 mm/h
Today 9:00 am
Wetter-Symbol
4° | 4°°C 0 mm 0% 8 mph 87 % 1004 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
8° | 8°°C 1 mm 100% 18 mph 83 % 1000 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
7° | 7°°C 1 mm 100% 19 mph 71 % 999 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
6° | 6°°C 0.8 mm 80% 15 mph 72 % 1003 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
5° | 5°°C 0 mm 0% 10 mph 77 % 1004 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
6° | 6°°C 0 mm 0% 12 mph 79 % 1002 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
9° | 9°°C 1 mm 100% 22 mph 89 % 996 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€98,252.38
-3.28%
Ethereum(ETH)
€3,097.06
-3.24%
XRP(XRP)
€3.02
-1.06%
Fesseln(USDT)
€0.96
-0.07%
Solana(SOL)
€238.87
-2.31%
Dogecoin(DOGE)
€0.337868
-5.64%
USDC(USDC)
€0.96
0.00%
Shiba Inu(SHIB)
€0.000019
-3.44%
Pepe(PEPE)
€0.000014
-7.18%
Peanut das Eichhörnchen(PNUT)
€0.344416
-4.59%
Nach oben scrollen