SafeBreach security researcher Alon Leviev has published his Windows Update tool that can be used for downgrade attacks that reintroduce old vulnerabilities into up-to-date Windows 10, Windows 11, and Windows Server systems.
In such attacks, malicious actors force targeted devices to revert to older software versions, reintroducing security vulnerabilities that can be exploited to compromise the system.
Windows Downdate is available as an open-source Python-based program and a precompiled Windows executable that can help downgrade Windows 10, Windows 11, and Windows Server system components.
Leviev also shared several use cases that downgrade the Hyper-V hypervisor (to a two-year-old version), the Windows kernel, NTFS driver, and Filter Manager driver (to their base versions), as well as other Windows components and previously applied security patches.
“You can use it to take control of Windows updates to downgrade and expose past vulnerabilities from DLLs, drivers, NT kernel, secure kernel, hypervisor, IUM trustlets and more,” explained Alon Leviev, security researcher at SafeBreach.
“In addition to custom downgrades, Windows Downdate provides easy-to-use examples of how to revert to fixes for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as examples of downgrading the hypervisor, downgrading the kernel, and bypassing VBS UEFI locks.”
As Leviev stated at Black Hat 2024 when he revealed the Windows Downdate downgrade attack, which exploits CVE-2024-21302 and CVE-2024-38202, the use of this tool is undetectable because it cannot be blocked by Endpoint Detection and Response (EDR) solutions and Windows Update continues to report that the targeted system is up to date (despite being downgraded).
“I have discovered several ways to disable Windows Virtualization-Based Security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when applied with UEFI locks. To my knowledge, this is the first time that VBS UEFI locks have been bypassed without physical access,” Leviev said.
“As a result, I was able to make a fully patched Windows machine vulnerable to thousands of past vulnerabilities, turning the patched vulnerabilities into zero-day vulnerabilities and rendering the term “fully patched” meaningless on any Windows machine in the world.”
While Microsoft released a security update (KB5041773) to address the Windows kernel secure mode privilege escalation vulnerability CVE-2024-21302 on August 7, the company has yet to provide a patch for CVE-2024-38202, an elevation of privilege vulnerability in the Windows update stack.
Until a security update is released, Redmond advises customers to implement the recommendations shared in the security advisory released earlier this month to help protect against Windows Downdate downgrade attacks.
Mitigations for this issue include configuring “Audit object access” settings to monitor file access attempts, restricting update and restore operations, using access control lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.
