In a startling revelation at the Black Hat 2024 conference, cybersecurity researcher Alon Leviev from SafeBreach disclosed two zero-day vulnerabilities that could potentially compromise the security of fully updated Windows systems. These critical flaws enable downgrade attacks, effectively rendering patched Windows 10, Windows 11, and Windows Server installations vulnerable to previously resolved security issues.
Understanding the Downgrade Attack Vulnerability
Downgrade attacks, also known as version rollback attacks, force a fully patched target device to revert to older software versions. This regression reintroduces vulnerabilities that were previously addressed, leaving systems exposed to a wide array of potential exploits. Leviev’s discovery reveals that the Windows Update process can be manipulated to downgrade critical OS components, including DLL libraries and the NT Kernel, without triggering any security alerts.
Impact on Windows Security Features
The researcher demonstrated the ability to lower the security level of key Windows features, including:
- Credential Guard Secure Kernel
- Isolated User Mode Process
- Hyper-V
This downgrade enables the exploitation of old privilege escalation vulnerabilities, effectively bypassing critical security measures.
Severity and Implications
The severity of these vulnerabilities cannot be overstated. Leviev explains, “I managed to make a fully updated Windows machine susceptible to thousands of old vulnerabilities, turning already patched vulnerabilities into zero-days and rendering the term ‘fully patched’ meaningless for any Windows system worldwide.” Perhaps most alarmingly, these downgrade attacks are virtually undetectable, bypassing EDR solutions while Windows Update continues to report the system as fully updated.
Microsoft’s Response and Mitigation Strategies
Microsoft has acknowledged the vulnerabilities, assigning them the identifiers CVE-2024-38202 and CVE-2024-21302. While patches are still in development, the company has released security bulletins with risk mitigation recommendations. The CVE-2024-38202 vulnerability, related to privilege escalation in Windows Backup, allows attackers with basic privileges to reverse patches for previously fixed bugs or bypass Virtualization Based Security (VBS) features.
Current Status and Recommendations
As of now, Microsoft reports no known exploitation of these vulnerabilities in the wild. However, the potential for abuse remains high. Until patches are available, system administrators and users are strongly advised to implement the mitigation strategies outlined in Microsoft’s security bulletins. These precautions are crucial in reducing the risk of exploitation and maintaining system integrity in the face of these newly discovered threats.
The discovery of these downgrade attack vulnerabilities serves as a stark reminder of the ever-evolving nature of cybersecurity threats. It underscores the critical importance of ongoing vigilance, prompt patching, and the implementation of multi-layered security strategies to protect against both known and unknown vulnerabilities in our increasingly complex digital ecosystem.
