Wednesday, November 13, 2024
HomeCyber SecurityHome windows 'Downdate' Assault Makes Patched PCs Weak

Home windows ‘Downdate’ Assault Makes Patched PCs Weak


Totally patched Home windows 11 programs are susceptible to assaults that enable an adversary to put in customized rootkits that may neutralize endpoint safety mechanisms, cover malicious processes and community exercise, keep persistence and stealth on a compromised system, and extra.

The assault entails a Home windows OS downgrade assault approach that SafeBreach safety researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit software referred to as Home windows Downdate. Leviev confirmed how an attacker, with admin-level entry to a system, may tamper with the Home windows Replace course of and revert absolutely patched Home windows elements, together with dynamic hyperlink libraries, drivers, and the kernel, again to a beforehand susceptible state.

Home windows OS Downgrade Assault

As a part of the demo, the researcher confirmed how the assault would work even in conditions the place a company might need enabled virtualization-based safety (VBS) to guard important OS elements. As a part of the demo, Leviev downgraded VBS options like Safe Kernel and Credential Guard’s Remoted Consumer Mode Course of to show privilege escalation vulnerabilities in them that Microsoft had beforehand already addressed.

“I used to be capable of make a completely patched Home windows machine vulnerable to previous vulnerabilities, turning fastened vulnerabilities unfixed and making the time period ‘absolutely patched’ meaningless on any Home windows machine on this planet,” Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the corporate after discovering and exploiting them as a part of his assault chain. Nonetheless, Microsoft has to this point not addressed the power for an attacker with admin entry to abuse the Home windows Replace course of itself to downgrade important OS elements again to insecure states.

Not a Safety Vulnerability?

The difficulty has to do with Microsoft refusing to think about the power for an admin-level consumer to achieve kernel code execution as crossing a safety boundary. “Microsoft did repair each vulnerability that resulted from crossing an outlined safety boundary,” Leviev tells Darkish Studying. “Crossing from administrator to the kernel just isn’t thought-about a safety boundary, and therefore it was not fastened.”

To indicate why that is still a menace, Leviev on Oct. 26 launched particulars of a brand new Home windows downgrade assault he developed, the place he used his Home windows Downdate software to revive a driver signature enforcement (DSE) bypass assault that Microsoft had mitigated with its patch for CVE-2024-21302. He confirmed how an attacker may abuse the problem to load unsigned kernel drivers and deploy bespoke rootkits.

“The ‘ItsNotASecurityBoundary’ DSE bypass belongs to a brand new class of flaws referred to as False File Immutability (FFI)” that researchers at Elastic Safety reported earlier this yr, Leviev wrote in his Oct. 26 submit. “This class exploits incorrect assumptions about file immutability — particularly, that blocking write entry sharing makes a file immutable.”

Leviev says that each one he needed to do to execute the assault was to establish the precise OS module (CI.dll) to which Microsoft had utilized the patch for CVE-2024-21302, after which use his Downdate software to downgrade the module again to its unpatched model.  

“Downgrading solely ci.dll to its unpatched model works effectively in opposition to a completely patched Home windows 11 23h2 machine,” Leviev wrote on Oct. 26. The researcher added he was capable of exploit the problem even when VBS was enabled, with and with out UEFI lock for securing the boot course of and firmware configuration. “To completely mitigate the assault, VBS must be enabled with UEFI lock and the ‘Necessary’ flag. In any other case, it might be potential for an attacker to disable VBS, downgrade ci.dll, and efficiently exploit the flaw,” he famous.

In an emailed remark, Tim Peck, senior menace researcher at Securonix, described the Home windows Downdate assaults as benefiting from Home windows not at all times validating the model numbers of its DLLs when loading them. This permits “attackers to trick the working system (OS) into utilizing outdated information which are extra vulnerable to exploitation,” he defined. “If the attacker is ready to downgrade Home windows Defender, particularly with reference to safety updates, they might have free rein to execute malicious information or ways that will usually have been caught.”

Microsoft Is Now Engaged on a Repair

A Microsoft spokesman famous in an e mail that the corporate is “actively creating mitigations to guard in opposition to these dangers,” with out specifying what measures it may be taking or once they can be accessible. The corporate is totally investigating replace improvement and compatibility improvement, he wrote.

“We’re creating a safety replace that can revoke outdated, unpatched VBS system information to mitigate this menace,” he wrote. “As a result of complexity of blocking such a big amount of information, rigorous testing is required to keep away from integration failures or regressions.”

Microsoft can even proceed to replace info round CVE-2024-21302, he wrote, with further mitigation or related threat discount steerage as they turn into accessible.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments