Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Alon Leviev created a tool to return old vulnerabilities to the system.
Alon Leviev, a specialist from SafeBreach, has released the Windows Downdate tool, which allows you to return old vulnerabilities on updated Windows 10, Windows 11, and Windows Server systems.
A downgrade attack allows attackers to roll back targeted devices to earlier versions of software, which leads to the re-emergence of vulnerabilities that can be used to compromise the system.
Windows Downdate is available as an open-source Python program and as a ready-to-use executable for Windows. With the tool, you can roll back various Windows components, such as the Hyper-V hypervisor, system kernel, NTFS drivers, and others, to their base versions.
Leviev also demonstrated examples of using Windows Downdate to roll back fixes for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as to bypass VBS protection, including Credential Guard and HVCI components, even when using UEFI entries. According to the researcher, this is the first time that UEFI protection has been bypassed without physical access to the device.
At the Black Hat 2024 conference, Leviev said that attacks using Windows Downdate go unnoticed for EDR solutions, and Windows Update continues to show that the system has been updated, although in fact it has been downgraded to an older version.
Despite the fact that Microsoft has fixed one of the Downgrade vulnerabilities (CVE-2024-21302), the second vulnerability (CVE-2024-38202) remains unresolved. Until the update is released, Microsoft recommends that customers use protection measures.
Recommended actions include configuring object access auditing settings to monitor file access attempts, restricting update and restore operations, using ACLs to restrict access to files, and auditing privileges to identify attempts to exploit the vulnerability.
Source
Alon Leviev, a specialist from SafeBreach, has released the Windows Downdate tool, which allows you to return old vulnerabilities on updated Windows 10, Windows 11, and Windows Server systems.
A downgrade attack allows attackers to roll back targeted devices to earlier versions of software, which leads to the re-emergence of vulnerabilities that can be used to compromise the system.
Windows Downdate is available as an open-source Python program and as a ready-to-use executable for Windows. With the tool, you can roll back various Windows components, such as the Hyper-V hypervisor, system kernel, NTFS drivers, and others, to their base versions.
Leviev also demonstrated examples of using Windows Downdate to roll back fixes for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as to bypass VBS protection, including Credential Guard and HVCI components, even when using UEFI entries. According to the researcher, this is the first time that UEFI protection has been bypassed without physical access to the device.
At the Black Hat 2024 conference, Leviev said that attacks using Windows Downdate go unnoticed for EDR solutions, and Windows Update continues to show that the system has been updated, although in fact it has been downgraded to an older version.
Despite the fact that Microsoft has fixed one of the Downgrade vulnerabilities (CVE-2024-21302), the second vulnerability (CVE-2024-38202) remains unresolved. Until the update is released, Microsoft recommends that customers use protection measures.
Recommended actions include configuring object access auditing settings to monitor file access attempts, restricting update and restore operations, using ACLs to restrict access to files, and auditing privileges to identify attempts to exploit the vulnerability.
Source
