Alon Leviev, a security researcher at SafeBreach, has drawn urgent attention to software “downgrade attacks” on Windows 10, Windows 11, and Windows Server systems that can force fully up-to-date software to revert to an older version with known, exploitable vulnerabilities.
Making the announcement at the ongoing security conference “Black Hat 2024” held in Las Vegas, Leviev warned that malicious actors can expose and exploit previously “fully patched” vulnerabilities to compromise systems and gain unauthorized access.
Leviev showed how the Windows update process could be compromised to downgrade critical OS components, including dynamic link libraries (DLLs), drivers, and even the NT kernel.
Although a downgrade attack would roll back all critical components to the older versions, the update check would falsely report that the operating system (OS) was fully updated and unable to install future updates, while recovery and scanning tools were unable to identify any issues.
“I found several vulnerabilities that I used to develop Windows Downdate—a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features. As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world,” Leviev wrote in a blog post.
The Israeli researcher was able to successfully downgrade Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor by exploiting the zero-day vulnerabilities, thereby exposing past privilege escalation vulnerabilities.
“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev revealed.
“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”
According to Leviev, this is the first time that UEFI locks of virtualization-based security (VBS) have been bypassed without physical access. The implications of his research are significant not only to Microsoft Windows but also for all OS vendors that may be subject to downgrade attacks.
SafeBreach Labs reported the downgrade attack, dubbed ‘Windows Downdate,’ to Microsoft in February this year as part of a coordinated responsible disclosure process. Six months after the reporting, Leview revealed the ‘Windows Downdate’ downgrade attack to the public.
Microsoft has issued advisories on the two unpatched zero-day vulnerabilities (tracked as CVE-2024-38202 and CVE-2024-21302) and said customers will be notified when the official mitigation is available in a Windows security update. It also said that it is not aware of any attempts to exploit these vulnerabilities in the wild.
Meanwhile, the company has given recommendations that do not mitigate the vulnerabilities but can be used to reduce the risk of exploitation until the security update is available.
“We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson said in a statement.