New Windows Downgrade Attack Let Hackers Downgrade Patched Systems
Hackers often target Microsoft Windows primarily due to its widespread usage and market dominance. With more than 80% of the desktop OS market share, Windows system vulnerabilities present numerous exploitation opportunities.
SafeBreach analysts recently identified a new Windows Downgrade attack that enables hackers to downgrade and exploit the patched systems.
In August, security analyst (Alon Leviev) introduced “Windows Downdate” at “Black Hat USA 2024” and “DEF CON 32” that exposed critical Windows security vulnerabilities.
The tool manipulates “Windows Update” to perform targeted downgrades of essential OS components that effectively revive previously patched vulnerabilities.
While Microsoft addressed CVE-2024-21302 (a privilege escalation vulnerability affecting Windows virtualization), the core Windows Update compromise remains unpatched since Administrator-to-kernel code execution isn’t classified as a security boundary violation.
This research leveraged this to bypass “DSE,” allowing “unsigned kernel drivers” to load via the “ItsNotASecurityBoundary” exploit.
This bypass works by exploiting “FFI” vulnerabilities and “TOCTOU” race conditions in security catalog validation.
Downgrade Attack
Specifically, by downgrading “ci.dll” to version 10.0.22621.1376 on “Windows 11 23h2 systems,” threat actors can evade “VBS” protections, even those enforced through “UEFI locks.”
This allows the deployment of “rootkits” capable of hiding “malicious processes” and “network activity.”
The attack succeeds by either modifying registry keys (for standard VBS configurations) or invalidating “SecureKernel.exe” (for UEFI-locked systems) which shows a critical flaw in the security architecture of the Windows that allows fully-patched systems to be compromised via controlled component downgrades.
Windows “VBS” implements a critical security feature that can be enhanced via two key mechanisms that are configurable via the “Windows Registry” or “Local Group Policy Editor”:-
- UEFI Lock
- Mandatory flag
While UEFI Lock stores the VBS configuration in a specialized “UEFI NVBS” variable called “VbsPolicy” to prevent remote modifications this protection alone can be evaded via a sophisticated attack chain like “corrupting SecureKernel.exe” (a crucial VBS component), “downgrading the ci.dll” (Code Integrity module) to a vulnerable version, and “exploiting a security flaw” known as “ItsNotASecurityBoundary.”
To establish strong protection system administrators must enable both the “UEFI Lock” (using “reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v Locked /t REG_DWORD /d 1 /f”) and the “Mandatory” flag (using “reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v Mandatory /t REG_DWORD /d 1 /f”).
These need to be followed by a system restart to prevent the kernel compromise via downgrade attacks.
These are particularly dangerous as they can evade the “DSE” and exploit vulnerabilities in “first-party” components like “Windows kernel” itself without relying on the traditional “BYOVD” approach that makes it essential for security solutions to actively monitor and detect any attempted downgrade procedures.