A brand new assault method may very well be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on absolutely patched Home windows techniques, resulting in working system (OS) downgrade assaults.
“This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more,” SafeBreach researcher Alon Leviev mentioned in a report shared with The Hacker Information.
The most recent findings construct on an earlier evaluation that uncovered two privilege escalation flaws within the Home windows replace course of (CVE-2024-21302 and CVE-2024-38202) that may very well be weaponized to rollback an up-to-date Home windows software program to an older model containing unpatched safety vulnerabilities.
The exploit materialized within the type of a device dubbed Home windows Downdate, which, per Leviev, may very well be used to hijack the Home windows Replace course of to craft absolutely undetectable, persistent, and irreversible downgrades on essential OS elements.
This will have extreme ramifications, because it gives attackers a greater different to Deliver Your Personal Weak Driver (BYOVD) assaults, letting them downgrade first-party modules, together with the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as a part of Patch Tuesday updates.
The most recent method devised by Leviev leverages the downgrade device to downgrade the “ItsNotASecurityBoundary” DSE bypass patch on a totally up to date Home windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Safety Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a brand new bug class codenamed False File Immutability. Microsoft remediated it earlier this Could.
In a nutshell, it exploits a race situation to switch a verified safety catalog file with a malicious model containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the motive force.
Microsoft’s code integrity mechanism, which is used to authenticate a file utilizing the kernel mode library ci.dll, then parses the rogue safety catalog to validate the signature of the motive force and cargo it, successfully granting the attacker the power to execute arbitrary code within the kernel.
The DSE bypass is achieved by making use of the downgrade device to switch the “ci.dll” library with an older model (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having mentioned, there’s a safety barrier that may stop such a bypass from being profitable. If Virtualization-Primarily based Safety (VBS) is working on the focused host, the catalog scanning is carried out by the Safe Kernel Code Integrity DLL (skci.dll), versus ci.dll.
Nonetheless, It is price noting that the default configuration is VBS and not using a Unified Extensible Firmware Interface (UEFI) Lock. In consequence, an attacker may flip it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in instances the place UEFI lock is enabled, the attacker may disable VBS by changing one of many core recordsdata with an invalid counterpart. In the end, the exploitation steps an attacker must observe are under –
- Turning off VBS within the Home windows Registry, or invalidating SecureKernel.exe
- Downgrading ci.dll to the unpatched model
- Restarting the machine
- Exploiting ItsNotASecurityBoundary DSE bypass to attain kernel-level code execution
The one occasion the place it fails is when VBS is turned on with a UEFI lock and a “Mandatory” flag, the final of which causes boot failure when VBS recordsdata are corrupted. The Necessary mode is enabled manually by way of a registry change.
“The Mandatory setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load,” Microsoft notes in its documentation. “Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.”
Thus, so as to absolutely mitigate the assault, it is important that VBS is enabled with UEFI lock and the Necessary flag set. In every other mode, it makes it potential for an adversary to show the safety function off, carry out the DDL downgrade, and obtain a DSE bypass.
“The main takeaway […] is that security solutions should try to detect and prevent downgrade procedures even for components that do not cross defined security boundaries,” Leviev informed The Hacker Information.
