A vulnerability in the Windows Update process has been discovered by a researcher, allowing for the potential downgrading of critical system components such as DLLs, drivers, and the NT kernel. By exploiting this vulnerability, attackers are able to circumvent security measures like Secure Boot and expose previously patched vulnerabilities.
One of the methods used to disable Virtualization-Based Security (VBS) is through Credential Guard and HVCI, even with UEFI locks in place. This highlights the significant security risks associated with fully patched Windows systems.
The “ItsNotASecurityBoundary” DSE bypass takes advantage of a False File Immutability (FFI) vulnerability, allowing an attacker to modify files marked as immutable by leveraging a double-read condition in the page fault handler. This flaw is specifically applied to a security catalog, enabling the attacker to replace a verified catalog with a malicious one during a TOCTOU race condition. This manipulation allows the system to accept an unsigned kernel driver with a valid authentication code, bypassing security measures and potentially compromising the system.
The patch that is targeted for downgrade is located in ci.dll, specifically version 10.0.22621.1376, and is aimed at fully patched Windows 11 23h2 machines. However, the presence of Virtualization-Based Security poses a challenge, especially when enabled with UEFI lock and the “Mandatory” flag. Understanding the various VBS enablement modes and their security implications is crucial in determining the feasibility of a successful downgrade attack.
Disabling VBS via registry modifications can allow for the exploitation of critical system files and vulnerabilities like “ItsNotASecurityBoundary.” Nevertheless, UEFI Lock adds an additional layer of protection by storing VBS configuration in UEFI firmware.
While remote modifications are prevented by UEFI Lock, local attacks can still bypass it by invalidating core VBS components like SecureKernel.exe, enabling attackers to disable VBS and exploit vulnerabilities even with UEFI Lock enabled. By securing VBS with UEFI lock and the “Mandatory” flag, unauthorized modifications to VBS configuration can be prevented, and system failure can be ensured if VBS files are corrupted.
Recent research by SafeBreach has identified the downgrading of first-party components, including the operating system kernel, as a new threat vector for Windows systems. Exploiting vulnerabilities in older, less secure versions of these components allows attackers to bypass modern security measures and regain unauthorized access to the system, posing a significant risk known as a downgrade attack. This method can resurrect previously patched vulnerabilities, emphasizing the need for endpoint security solutions to be able to detect and prevent such attacks, even if they do not follow conventional privilege escalation methods.