This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.
Attackers can install bespoke rootkits on fully patched Windows 11 computers, which can defeat endpoint security measures, conceal malicious programs and network activities, keep a hacked machine persistent and stealthy, and more.
Alon Leviev, a security researcher from SafeBreach, developed an exploit program dubbed Windows Downdate to present a Windows OS downgrade attack technique at Black Hat USA 2024 in August. Leviev demonstrated how an attacker with administrator-level access to a system may manipulate the Windows Update procedure and restore completely patched Windows components—such as the kernel, drivers, and dynamic link libraries—to their pre-vulnerable condition.
Attack against Windows OS Downgrading
During the demonstration, the researcher demonstrated how the attack would work even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.
"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world," Leviev wrote back in August. Following Leviev's discovery and exploitation of two vulnerabilities as part of his attack chain, Microsoft has since patched them (CVE-2024-21302 and CVE-2024-38202). The ability of an attacker with administrator access to manipulate the Windows Update procedure itself and restore important OS components to unsafe states has not yet been addressed by Microsoft, though.
Not a Vulnerability in Security?
The problem stems from Microsoft's refusal to view an admin-level user's ability to execute kernel code as going beyond security limits. Microsoft did fix every vulnerability that resulted from crossing a defined security boundary," Leviev tells Dark Reading. "Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed."
To demonstrate why that is still a risk, Leviev published information on a new Windows downgrade attack he created on October 26. Using his Windows Downdate tool, he was able to resurrect a driver signature enforcement (DSE) bypass attack that Microsoft had stopped with its CVE-2024-21302 fix. He demonstrated how an attacker might take advantage of the vulnerability to install custom rootkits and load unsigned kernel drivers.
According to Leviev's post from October 26, "The 'ItsNotASecurityBoundary' DSE bypass belongs to a new class of flaws known as False File Immutability (FFI)" that Elastic Security researchers uncovered earlier this year. "This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable." According to Leviev, all he needed to do to carry out the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.
"Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine," Leviev commented on October 26. Even with VBS enabled, the researcher noted, he was able to take advantage of the vulnerability, both with and without the UEFI lock to secure the firmware configuration and boot process. "VBS must be activated with UEFI lock and the 'Mandatory' flag to completely mitigate the attack. If not, an attacker might downgrade ci.dll, disable VBS, and effectively make use of the vulnerability," he said.
Tim Peck, a senior security researcher at Securonix, explained in an email remark that Windows Downdate attacks use the fact that Windows does not always verify the version numbers of its DLLs when loading them. This allows "attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation," he said. "If the attacker can downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught."
Microsoft is currently working on a solution.
In an email, a Microsoft representative stated that the business is "actively developing mitigations to protect against these risks," but it did not say what steps it would be taking or when they would be implemented. The company is thoroughly investigating update development and compatibility development, he wrote.
"We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat," he stated. "Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions." Additionally, he stated, that Microsoft will keep updating information about CVE-2024-21302 with any new mitigation or pertinent risk reduction guidelines that become available.