Aug 08, 2024Ravie LakshmananWindows Security / Vulnerability

Microsoft says it is developing security updates to close two vulnerabilities in the law. According to Microsoft, these vulnerabilities could be exploited to perform downgrade attacks on the Windows update architecture, replacing current versions of the operating system files with older versions.

The vulnerabilities are listed below:

• CVE-2024-38202 (CVSS Score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
• CVE-2024-21302 (CVSS Score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability

The discovery and reporting of the flaws is attributed to Alon Leviev, a researcher at SafeBreach Labs. He presented the findings at Black Hat USA 2024 and DEF CON 32.

CVE-2024-38202, which is rooted in the Windows Backup component, allows an “attacker with basic user privileges to reintroduce previously fixed vulnerabilities or bypass certain features of Virtualization Based Security (VBS),” the tech giant said.

However, it was noted that an attacker wishing to exploit the flaw would need to convince an administrator or a user with delegated privileges to perform a System Restore, thereby inadvertently triggering the vulnerability.

The second vulnerability also involves a case of privilege escalation in Windows systems that support VBS, allowing an attacker to effectively replace current versions of Windows system files with outdated versions.

The implications of CVE-2024-21302 are that it can be used as a weapon to reintroduce previously addressed vulnerabilities, bypass certain functionality of VBS, and exfiltrate data protected by VBS.

Leviev, describing a tool called Windows Downdate, said it could be used to “make a fully patched Windows machine susceptible to thousands of old vulnerabilities, turning fixed vulnerabilities into zero-days and rendering the term ‘fully patched’ meaningless on any Windows machine in the world.”

The tool, Leviev added, could “take over the Windows Update process to perform completely silent, invisible, persistent, and irreversible downgrades of critical OS components, allowing me to escalate privileges and bypass security features.”

Additionally, Windows Downdate can bypass verification steps such as integrity checking and Trusted Installer enforcement, effectively allowing the downgrade of critical operating system components including Dynamic Link Libraries (DLLs), drivers, and the NT kernel.

Additionally, the issues can be exploited to downgrade Credential Guard’s Isolated User Mode Process, the Secure Kernel, and the Hyper-V hypervisor, thereby exposing previous privilege escalation vulnerabilities and disabling VBS, along with features such as Hypervisor-Protected Code Integrity (HVCI).

The end result is that a fully patched Windows system can be susceptible to thousands of past vulnerabilities, turning fixed flaws into zero-days.

These downgrades have an additional impact, because the operating system reports that the system is fully updated, while at the same time preventing the installation of future updates and preventing detection by recovery and scanning tools.

“The downgrade attack I was able to perform on the virtualization stack within Windows was possible due to a design flaw that allowed less privileged virtual trust levels/rings to update components that were in more privileged virtual trust levels/rings,” Leviev said.

“This was very surprising, as Microsoft’s VBS features were announced in 2015. That means the downgrade attack surface I discovered has been around for almost a decade.”