Totally patched Home windows 11 programs are weak to assaults that enable an adversary to put in customized rootkits that may neutralize endpoint safety mechanisms, conceal malicious processes and community exercise, preserve persistence and stealth on a compromised system, and extra.
The assault entails a Home windows OS downgrade assault method that SafeBreach safety researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit instrument referred to as Home windows Downdate. Leviev confirmed how an attacker, with admin-level entry to a system, may tamper with the Home windows Replace course of and revert absolutely patched Home windows elements, together with dynamic hyperlink libraries, drivers, and the kernel, again to a beforehand weak state.
Home windows OS Downgrade Assault
As a part of the demo, the researcher confirmed how the assault would work even in conditions the place a corporation may need enabled virtualization-based safety (VBS) to guard essential OS elements. As a part of the demo, Leviev downgraded VBS options like Safe Kernel and Credential Guard’s Remoted Person Mode Course of to reveal privilege escalation vulnerabilities in them that Microsoft had beforehand already addressed.
“I used to be in a position to make a completely patched Home windows machine inclined to previous vulnerabilities, turning fastened vulnerabilities unfixed and making the time period ‘absolutely patched’ meaningless on any Home windows machine on the planet,” Leviev wrote in August.
Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the corporate after discovering and exploiting them as a part of his assault chain. Nonetheless, Microsoft has to date not addressed the power for an attacker with admin entry to abuse the Home windows Replace course of itself to downgrade essential OS elements again to insecure states.
Not a Safety Vulnerability?
The difficulty has to do with Microsoft refusing to think about the power for an admin-level person to realize kernel code execution as crossing a safety boundary. “Microsoft did repair each vulnerability that resulted from crossing an outlined safety boundary,” Leviev tells Darkish Studying. “Crossing from administrator to the kernel will not be thought-about a safety boundary, and therefore it was not fastened.”
To point out why that is still a menace, Leviev on Oct. 26 launched particulars of a brand new Home windows downgrade assault he developed, the place he used his Home windows Downdate instrument to revive a driver signature enforcement (DSE) bypass assault that Microsoft had mitigated with its patch for CVE-2024-21302. He confirmed how an attacker may abuse the problem to load unsigned kernel drivers and deploy bespoke rootkits.
“The ‘ItsNotASecurityBoundary’ DSE bypass belongs to a brand new class of flaws often called False File Immutability (FFI)” that researchers at Elastic Safety reported earlier this yr, Leviev wrote in his Oct. 26 publish. “This class exploits incorrect assumptions about file immutability — particularly, that blocking write entry sharing makes a file immutable.”
Leviev says that every one he needed to do to execute the assault was to establish the particular OS module (CI.dll) to which Microsoft had utilized the patch for CVE-2024-21302, after which use his Downdate instrument to downgrade the module again to its unpatched model. Â
“Downgrading solely ci.dll to its unpatched model works nicely towards a completely patched Home windows 11 23h2 machine,” Leviev wrote on Oct. 26. The researcher added he was in a position to exploit the problem even when VBS was enabled, with and with out UEFI lock for securing the boot course of and firmware configuration. “To completely mitigate the assault, VBS must be enabled with UEFI lock and the ‘Obligatory’ flag. In any other case, it might be doable for an attacker to disable VBS, downgrade ci.dll, and efficiently exploit the flaw,” he famous.
In an emailed remark, Tim Peck, senior menace researcher at Securonix, described the Home windows Downdate assaults as profiting from Home windows not all the time validating the model numbers of its DLLs when loading them. This allows “attackers to trick the working system (OS) into utilizing outdated information which are extra inclined to exploitation,” he defined. “If the attacker is ready to downgrade Home windows Defender, particularly with reference to safety updates, they might have free rein to execute malicious information or ways that will usually have been caught.”
Microsoft Is Now Engaged on a Repair
A Microsoft spokesman famous in an electronic mail that the corporate is “actively growing mitigations to guard towards these dangers,” with out specifying what measures it is likely to be taking or after they can be obtainable. The corporate is totally investigating replace improvement and compatibility improvement, he wrote.
“We’re growing a safety replace that may revoke outdated, unpatched VBS system information to mitigate this menace,” he wrote. “As a result of complexity of blocking such a big amount of information, rigorous testing is required to keep away from integration failures or regressions.”
Microsoft may also proceed to replace data round CVE-2024-21302, he wrote, with extra mitigation or related danger discount steering as they turn into obtainable.
