A shocking report at the Black Hat conference demonstrates new ways to exploit vulnerabilities.
At the Black Hat 2024 conference, which is currently taking place in Las Vegas (August 7 and 8), security researcher Alon Leviev from SafeBreach revealed two new zero-day vulnerabilities that can be used in so-called Downgrade attacks to roll back Windows 10, 11 and Server operating systems upgrade to older versions with subsequent exploitation of already fixed vulnerabilities.
Of course, Leviev adhered to the policy of responsible disclosure of vulnerabilities and notified Microsoft in advance of the presence of breaches. However, the security flaws identified as CVE-2024-38202 and CVE-2024-21302 have not yet been fixed, although the company has provided some recommendations to mitigate the consequences.
Downgrade attacks allow attackers to force an upgraded device to revert to older versions of software, restoring vulnerabilities that can be exploited to compromise the system.
Leviev discovered that the Windows update process can be compromised to downgrade critical OS components, such as DLLs and the NT kernel. Although these components will actually be outdated after the attack, Windows Update will still report that the system is fully updated, and recovery and scanning tools do not fix any problems.
Leviev also discovered ways to disable Windows Virtualization (VBS) functionality, including Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when using UEFI records. According to the researcher, this is the first case of bypassing UEFI records without physical access to the device.
The expert noted that this type of attack is not detected by endpoint protection solutions (EDR) and is invisible to Windows Update, which makes it particularly dangerous. Leviev stressed that the vulnerability makes the term "fully updated" meaningless for any Windows machine, exposing it to thousands of previously patched vulnerabilities.
Leviev presented the attack called "Windows Downdate" six months after the vulnerabilities were reported to Microsoft. The company confirmed that it is working on fixing them, but a working patch has not yet been released.
Microsoft said that it is not aware of attempts to exploit these vulnerabilities in real-world conditions and recommended following the recommendations published in two security memos to reduce the risk of exploitation before the update is released.
Leviev noted that the consequences of these vulnerabilities are significant not only for Windows, but also for other operating systems that may be vulnerable to similar downgrade attacks.
Microsoft representatives thanked SafeBreach for identifying and responsibly reporting the vulnerability. The company is working to develop measures to protect against these risks, including creating an update that will roll back outdated, unprotected Virtualization Based Security (VBS) system files. However, the update testing process will take time due to the large number of affected files.
Source
At the Black Hat 2024 conference, which is currently taking place in Las Vegas (August 7 and 8), security researcher Alon Leviev from SafeBreach revealed two new zero-day vulnerabilities that can be used in so-called Downgrade attacks to roll back Windows 10, 11 and Server operating systems upgrade to older versions with subsequent exploitation of already fixed vulnerabilities.
Of course, Leviev adhered to the policy of responsible disclosure of vulnerabilities and notified Microsoft in advance of the presence of breaches. However, the security flaws identified as CVE-2024-38202 and CVE-2024-21302 have not yet been fixed, although the company has provided some recommendations to mitigate the consequences.
Downgrade attacks allow attackers to force an upgraded device to revert to older versions of software, restoring vulnerabilities that can be exploited to compromise the system.
Leviev discovered that the Windows update process can be compromised to downgrade critical OS components, such as DLLs and the NT kernel. Although these components will actually be outdated after the attack, Windows Update will still report that the system is fully updated, and recovery and scanning tools do not fix any problems.
Leviev also discovered ways to disable Windows Virtualization (VBS) functionality, including Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when using UEFI records. According to the researcher, this is the first case of bypassing UEFI records without physical access to the device.
The expert noted that this type of attack is not detected by endpoint protection solutions (EDR) and is invisible to Windows Update, which makes it particularly dangerous. Leviev stressed that the vulnerability makes the term "fully updated" meaningless for any Windows machine, exposing it to thousands of previously patched vulnerabilities.
Leviev presented the attack called "Windows Downdate" six months after the vulnerabilities were reported to Microsoft. The company confirmed that it is working on fixing them, but a working patch has not yet been released.
Microsoft said that it is not aware of attempts to exploit these vulnerabilities in real-world conditions and recommended following the recommendations published in two security memos to reduce the risk of exploitation before the update is released.
Leviev noted that the consequences of these vulnerabilities are significant not only for Windows, but also for other operating systems that may be vulnerable to similar downgrade attacks.
Microsoft representatives thanked SafeBreach for identifying and responsibly reporting the vulnerability. The company is working to develop measures to protect against these risks, including creating an update that will roll back outdated, unprotected Virtualization Based Security (VBS) system files. However, the update testing process will take time due to the large number of affected files.
Source
