Microsoft mentioned it’s growing security updates to handle two loopholes that it mentioned could possibly be abused to stage downgrade assaults towards the Home windows replace structure and substitute present variations of the Home windows information with older variations.
The vulnerabilities are listed under –
- CVE-2024-38202 (CVSS rating: 7.3) – Home windows Replace Stack Elevation of Privilege Vulnerability
- CVE-2024-21302 (CVSS rating: 6.7) – Home windows Safe Kernel Mode Elevation of Privilege Vulnerability
Credited with discovering and reporting the issues is SafeBreach Labs researcher Alon Leviev, who offered the findings at Black Hat USA 2024 and DEF CON 32.
CVE-2024-38202, which is rooted within the Home windows Backup part, permits an “attacker with primary person privileges to reintroduce beforehand mitigated vulnerabilities or circumvent some options of Virtualization Based mostly Safety (VBS),” the tech large mentioned.
It, nevertheless, famous that an attacker making an attempt to leverage the flaw must persuade an Administrator or a person with delegated permissions to carry out a system restore which inadvertently triggers the vulnerability.
The second vulnerability additionally considerations a case of privilege escalation in Home windows techniques that help VBS, successfully permitting an adversary to exchange present variations of Home windows system information with outdated variations.
The results of CVE-2024-21302 are that it could possibly be weaponized to reintroduce beforehand addressed security flaws, bypass some options of VBS, and exfiltrate information protected by VBS.
Leviev, who detailed a instrument dubbed Home windows Downdate, mentioned it could possibly be used to show a “absolutely patched Home windows machine prone to hundreds of previous vulnerabilities, turning mounted vulnerabilities into zero-days and making the time period ‘absolutely patched’ meaningless on any Home windows machine on this planet.”
The instrument, Leviev added, might “take over the Home windows Replace course of to craft absolutely undetectable, invisible, persistent, and irreversible downgrades on crucial OS elements—that allowed me to raise privileges and bypass security options.”
Moreover, Home windows Downdate is able to bypassing verification steps, corresponding to integrity verification and Trusted Installer enforcement, successfully making it doable to downgrade crucial working system elements, together with dynamic hyperlink libraries (DLLs), drivers, and NT kernel.
The problems, on prime of that, could possibly be exploited to downgrade Credential Guard’s Remoted Consumer Mode Course of, Safe Kernel, and Hyper-V’s hypervisor to show previous privilege escalation vulnerabilities, in addition to disable VBS, alongside options like Hypervisor-Protected Code integrity (HVCI).
The online result’s {that a} fully patched Home windows system could possibly be rendered prone to hundreds of previous vulnerabilities and switch mounted shortcomings into zero-days.
These downgrades have an added influence in that the working system stories that the system is absolutely up to date, whereas concurrently stopping the set up of future updates and inhibiting detection by restoration and scanning instruments.
“The downgrade assault I used to be capable of obtain on the virtualization stack inside Home windows was doable resulting from a design flaw that permitted much less privileged digital belief ranges/rings to replace elements residing in additional privileged digital belief ranges/rings,” Leviev mentioned.
“This was very stunning, given Microsoft’s VBS options had been introduced in 2015, which means the downgrade assault floor I found has existed for nearly a decade.”
