Microsoft has announced that it is actively working on security updates to rectify two significant vulnerabilities that could potentially be exploited to conduct downgrade attacks against its Windows update system. These vulnerabilities may allow malicious actors to replace the current versions of operating system files with outdated ones, undermining the integrity of the system.
The first vulnerability, designated as CVE-2024-38202, has been rated with a CVSS score of 7.3 and pertains to an elevation of privilege in the Windows Update Stack. This flaw is related to the Windows Backup component and permits an attacker with basic user privileges to reintroduce vulnerabilities that should have been mitigated, potentially bypassing key security features such as Virtualization-Based Security (VBS). However, to exploit this flaw, the attacker would need to persuade an administrator or a user with delegated permissions to perform a system restore that inadvertently activates the vulnerability.
The second vulnerability, identified as CVE-2024-21302, carries a CVSS score of 6.7 and is also linked to privilege escalation within Windows systems that support VBS. By exploiting this vulnerability, an adversary could replace current Windows system files with older versions, which could reintroduce previously addressed security flaws and potentially siphon off data protected by VBS. The implications of both vulnerabilities could drastically weaken system defenses, as they pose risks of weaponizing previously fixed vulnerabilities.
Alon Leviev, a researcher from SafeBreach Labs, discovered and reported these vulnerabilities. He presented his findings at prominent cybersecurity events, including Black Hat USA 2024 and DEF CON 32. Leviev has developed a tool called Windows Downdate, which he claims can turn fully patched Windows machines vulnerable to numerous past exploits by reversing security fixes. This tool can manipulate the Windows Update process, allowing for undetectable, irreversible downgrades of critical operating system components.
The Downdate tool bypasses essential verification steps, including integrity checks and Trusted Installer enforcement, which makes it capable of downgrading crucial components such as dynamic link libraries (DLLs), drivers, and the NT kernel. Leviev indicated that such downgrades could expose the system to legacy vulnerabilities while simultaneously misleading users into believing their systems remain fully updated.
The ability to downgrade elements of the virtualization stack in Windows arises from a design flaw enabling less privileged virtual environments to update components within more secure virtual contexts. Leviev expressed shock at this vulnerability’s existence, given that Microsoft’s VBS functionalities were introduced back in 2015, highlighting the prolonged window of risk this flaw has presented.
In terms of potential adversary tactics and techniques, the attack illustrates concepts such as initial access and privilege escalation from the MITRE ATT&CK framework. Attackers could exploit the aforementioned vulnerabilities to gain initial access through social engineering while securing persistent footholds in the system by leveraging the privilege escalation capabilities provided by CVE-2024-21302.
With these vulnerabilities still being assessed and addressed, businesses relying on Windows systems should remain vigilant and update their systems as soon as patches are available. The implications of these vulnerabilities underscore the critical importance of robust cybersecurity practices to protect against evolving threats in the digital landscape.
