Microsoft mentioned it’s growing safety updates to deal with two loopholes that it mentioned could possibly be abused to stage downgrade assaults in opposition to the Home windows replace structure and substitute present variations of the working system information with older variations.
The vulnerabilities are listed beneath –
- CVE-2024-38202 (CVSS rating: 7.3) – Home windows Replace Stack Elevation of Privilege Vulnerability
- CVE-2024-21302 (CVSS rating: 6.7) – Home windows Safe Kernel Mode Elevation of Privilege Vulnerability
Credited with discovering and reporting the issues is SafeBreach Labs researcher Alon Leviev, who offered the findings at Black Hat USA 2024 and DEF CON 32.
CVE-2024-38202, which is rooted within the Home windows Backup element, permits an “attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS),” the tech large mentioned.
It, nevertheless, famous that an attacker trying to leverage the flaw must persuade an Administrator or a consumer with delegated permissions to carry out a system restore which inadvertently triggers the vulnerability.
The second vulnerability additionally issues a case of privilege escalation in Home windows methods that assist VBS, successfully permitting an adversary to exchange present variations of Home windows system information with outdated variations.
The implications of CVE-2024-21302 are that it could possibly be weaponized to reintroduce beforehand addressed safety flaws, bypass some options of VBS, and exfiltrate information protected by VBS.
Leviev, who detailed a software dubbed Home windows Downdate, mentioned it could possibly be used to show a “fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world.”
The software, Leviev added, may “take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features.”
Moreover, Home windows Downdate is able to bypassing verification steps, akin to integrity verification and Trusted Installer enforcement, successfully making it doable to downgrade vital working system elements, together with dynamic hyperlink libraries (DLLs), drivers, and NT kernel.
The problems, on high of that, could possibly be exploited to downgrade Credential Guard’s Remoted Person Mode Course of, Safe Kernel, and Hyper-V’s hypervisor to reveal previous privilege escalation vulnerabilities, in addition to disable VBS, alongside options like Hypervisor-Protected Code integrity (HVCI).
The web result’s {that a} utterly patched Home windows system could possibly be rendered vulnerable to 1000’s of previous vulnerabilities and switch mounted shortcomings into zero-days.
These downgrades have an added influence in that the working system reviews that the system is absolutely up to date, whereas concurrently stopping the set up of future updates and inhibiting detection by restoration and scanning instruments.
“The downgrade attack I was able to achieve on the virtualization stack within Windows was possible due to a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings,” Leviev mentioned.
“This was very surprising, given Microsoft’s VBS features were announced in 2015, meaning the downgrade attack surface I discovered has existed for almost a decade.”
