A recent discovery has shed light on a significant vulnerability in fully patched Windows 11 systems that could leave them open to attacks by cyber adversaries. These attacks could result in the installation of custom rootkits, bypassing endpoint security mechanisms, and maintaining persistence on compromised systems. The vulnerability was demonstrated by security researcher Alon Leviev at the Black Hat USA 2024 conference in August, where he showcased the use of a Windows OS downgrade attack technique to exploit fully patched Windows components.
Leviev’s exploit tool, Windows Downdate, allows an attacker with admin-level access to tamper with the Windows Update process and revert critical OS components, such as dynamic link libraries, drivers, and the kernel, back to a vulnerable state. This manipulation effectively renders the term “fully patched” meaningless on any Windows machine worldwide. Despite Leviev reporting two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) to Microsoft, the company has yet to address the ability for an attacker to abuse the Windows Update process to downgrade OS components.
The issue lies in Microsoft’s stance regarding the crossing of security boundaries, where an admin-level user gaining kernel code execution is not considered a security breach. Leviev highlighted this by releasing details of a new downgrade attack on Oct. 26, showcasing how his Windows Downdate tool could revive a driver signature enforcement bypass attack that Microsoft had previously patched. This attack could lead to the loading of unsigned kernel drivers and the deployment of customized rootkits.
The exploit, known as the “ItsNotASecurityBoundary” DSE bypass, exploits false file immutability to trick the operating system into using outdated, exploitable files. Leviev demonstrated that downgrading a specific OS module, CI.dll, could effectively compromise a fully patched Windows 11 system, even with VBS enabled. To fully mitigate this attack, VBS must be enabled with UEFI lock and the ‘Mandatory’ flag, preventing an attacker from downgrading critical OS components.
Tim Peck, a senior threat researcher at Securonix, explained that these attacks leverage the OS’s failure to validate version numbers of DLLs, enabling the use of outdated files that are more susceptible to exploitation. If Windows Defender were downgraded, attackers could execute malicious files undetected. Microsoft has acknowledged the issue and is actively working on mitigations to protect against these risks by revoking outdated, unpatched VBS system files.
Additionally, Microsoft is conducting thorough testing to ensure the effectiveness of these mitigations. Updates on CVE-2024-21302 will continue to be provided, along with additional mitigation strategies as they become available. It is crucial for users to remain vigilant and implement necessary security measures to protect their systems from potential downgrade attacks.