A brand new assault method could possibly be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on absolutely patched Home windows methods, resulting in working system (OS) downgrade assaults.
“This bypass permits loading unsigned kernel drivers, enabling attackers to deploy customized rootkits that may neutralize safety controls, cover processes and community exercise, preserve stealth, and way more,” SafeBreach researcher Alon Leviev stated in a report shared with The Hacker Information.
The newest findings construct on an earlier evaluation that uncovered two privilege escalation flaws within the Home windows replace course of (CVE-2024-21302 and CVE-2024-38202) that could possibly be weaponized to rollback an up-to-date Home windows software program to an older model containing unpatched safety vulnerabilities.
The exploit materialized within the type of a device dubbed Home windows Downdate, which, per Leviev, could possibly be used to hijack the Home windows Replace course of to craft absolutely undetectable, persistent, and irreversible downgrades on vital OS parts.
This may have extreme ramifications, because it presents attackers a greater various to Convey Your Personal Susceptible Driver (BYOVD) assaults, allowing them to downgrade first-party modules, together with the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as a part of Patch Tuesday updates.
The newest strategy devised by Leviev leverages the downgrade device to downgrade the “ItsNotASecurityBoundary” DSE bypass patch on a completely up to date Home windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Safety Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a brand new bug class codenamed False File Immutability. Microsoft remediated it earlier this Could.
In a nutshell, it exploits a race situation to interchange a verified safety catalog file with a malicious model containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the driving force.
Microsoft’s code integrity mechanism, which is used to authenticate a file utilizing the kernel mode library ci.dll, then parses the rogue safety catalog to validate the signature of the driving force and cargo it, successfully granting the attacker the flexibility to execute arbitrary code within the kernel.
The DSE bypass is achieved by making use of the downgrade device to interchange the “ci.dll” library with an older model (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having stated, there’s a safety barrier that may stop such a bypass from being profitable. If Virtualization-Primarily based Safety (VBS) is operating on the focused host, the catalog scanning is carried out by the Safe Kernel Code Integrity DLL (skci.dll), versus ci.dll.
Nonetheless, It is value noting that the default configuration is VBS and not using a Unified Extensible Firmware Interface (UEFI) Lock. Consequently, an attacker might flip it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in instances the place UEFI lock is enabled, the attacker might disable VBS by changing one of many core recordsdata with an invalid counterpart. In the end, the exploitation steps an attacker must observe are beneath –
- Turning off VBS within the Home windows Registry, or invalidating SecureKernel.exe
- Downgrading ci.dll to the unpatched model
- Restarting the machine
- Exploiting ItsNotASecurityBoundary DSE bypass to realize kernel-level code execution
The one occasion the place it fails is when VBS is turned on with a UEFI lock and a “Obligatory” flag, the final of which causes boot failure when VBS recordsdata are corrupted. The Obligatory mode is enabled manually by the use of a registry change.
“The Obligatory setting prevents the OS loader from persevering with besides in case the Hypervisor, Safe Kernel or considered one of their dependent modules fails to load,” Microsoft notes in its documentation. “Particular care ought to be used earlier than enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse besides.”
Thus, in an effort to absolutely mitigate the assault, it is important that VBS is enabled with UEFI lock and the Obligatory flag set. In another mode, it makes it attainable for an adversary to show the safety function off, carry out the DDL downgrade, and obtain a DSE bypass.
“The principle takeaway […] is that safety options ought to attempt to detect and forestall downgrade procedures even for parts that don’t cross outlined safety boundaries,” Leviev informed The Hacker Information.
