A brand new assault approach might be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on totally patched Home windows programs, resulting in working system (OS) downgrade assaults.
“This bypass permits loading unsigned kernel drivers, enabling attackers to deploy customized rootkits that may neutralize security controls, conceal processes and community exercise, keep stealth, and far more,” SafeBreach researcher Alon Leviev mentioned in a report shared with The Hacker Information.
The most recent findings construct on an earlier evaluation that uncovered two privilege escalation flaws within the Home windows replace course of (CVE-2024-21302 and CVE-2024-38202) that might be weaponized to rollback an up-to-date Home windows software program to an older model containing unpatched security vulnerabilities.
The exploit materialized within the type of a software dubbed Home windows Downdate, which, per Leviev, might be used to hijack the Home windows Replace course of to craft totally undetectable, persistent, and irreversible downgrades on important OS parts.
This could have extreme ramifications, because it gives attackers a greater different to Convey Your Personal Susceptible Driver (BYOVD) assaults, allowing them to downgrade first-party modules, together with the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as a part of Patch Tuesday updates.
The most recent method devised by Leviev leverages the downgrade software to downgrade the “ItsNotASecurityBoundary” DSE bypass patch on a totally up to date Home windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Safety Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a brand new bug class codenamed False File Immutability. Microsoft remediated it earlier this Might.
In a nutshell, it exploits a race situation to switch a verified security catalog file with a malicious model containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the driving force.
Microsoft’s code integrity mechanism, which is used to authenticate a file utilizing the kernel mode library ci.dll, then parses the rogue security catalog to validate the signature of the driving force and cargo it, successfully granting the attacker the flexibility to execute arbitrary code within the kernel.
The DSE bypass is achieved by making use of the downgrade software to switch the “ci.dll” library with an older model (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having mentioned, there’s a security barrier that may forestall such a bypass from being profitable. If Virtualization-Primarily based Safety (VBS) is operating on the focused host, the catalog scanning is carried out by the Safe Kernel Code Integrity DLL (skci.dll), versus ci.dll.
Nonetheless, It is price noting that the default configuration is VBS with no Unified Extensible Firmware Interface (UEFI) Lock. In consequence, an attacker might flip it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in instances the place UEFI lock is enabled, the attacker might disable VBS by changing one of many core recordsdata with an invalid counterpart. In the end, the exploitation steps an attacker must observe are beneath –
- Turning off VBS within the Home windows Registry, or invalidating SecureKernel.exe
- Downgrading ci.dll to the unpatched model
- Restarting the machine
- Exploiting ItsNotASecurityBoundary DSE bypass to realize kernel-level code execution
The one occasion the place it fails is when VBS is turned on with a UEFI lock and a “Obligatory” flag, the final of which causes boot failure when VBS recordsdata are corrupted. The Obligatory mode is enabled manually by way of a registry change.
“The Obligatory setting prevents the OS loader from persevering with as well in case the Hypervisor, Safe Kernel or one among their dependent modules fails to load,” Microsoft notes in its documentation. “Particular care needs to be used earlier than enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse as well.”
Thus, in an effort to totally mitigate the assault, it is important that VBS is enabled with UEFI lock and the Obligatory flag set. In every other mode, it makes it attainable for an adversary to show the security characteristic off, carry out the DDL downgrade, and obtain a DSE bypass.
“The principle takeaway […] is that security options ought to attempt to detect and stop downgrade procedures even for parts that don’t cross outlined security boundaries,” Leviev informed The Hacker Information.
