New Vulnerability Risks Driver Signature Enforcement on Windows Systems
A recently uncovered attack method exposes vulnerabilities in Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows systems, enabling potential OS downgrade attacks. This breakthrough allows cybercriminals to load unsigned kernel drivers, paving the way for the deployment of custom rootkits. These malicious entities can undermine existing security measures, obfuscate processes and network activities, and execute a range of harmful operations.
SafeBreach researcher Alon Leviev reported that this development builds upon previous findings which revealed two significant privilege escalation flaws in the Windows update process. These vulnerabilities, identified as CVE-2024-21302 and CVE-2024-38202, permit attackers to revert fully patched systems to older versions harboring unpatched security weaknesses. The exploitation is facilitated through a tool known as Windows Downdate, allowing the manipulation of the Windows Update process to achieve undetectable and irreversible downgrades of crucial OS components.
Furthermore, this technique presents an alternative to existing Bring Your Own Vulnerable Driver (BYOVD) attacks, enabling misuse of first-party modules, including the OS kernel. Microsoft has since addressed the aforementioned vulnerabilities, implementing updates on August 13 and October 8, 2024, respectively.
Leviev details that the Windows Downdate tool can downgrade essential patches, specifically the “ItsNotASecurityBoundary” DSE bypass fix on up-to-date Windows 11 systems. This new class of bugs, termed False File Immutability, was first identified by Elastic Security Labs in July 2024. The exploit hinges on leveraging a race condition to replace a legitimate security catalog with a malicious version corresponding to an unsigned kernel driver.
The mechanics of the attack involve manipulating Microsoft’s code integrity mechanism, which normally safeguards against unauthorized file execution. By tricking the kernel into loading the malicious driver, attackers gain the ability to execute arbitrary code within the kernel environment. The DSE bypass can be achieved by downgrading the “ci.dll” library to a prior, unpatched version, effectively neutralizing the protection previously established by Microsoft.
While a robust security barrier exists in Virtualization-Based Security (VBS), which utilizes the Secure Kernel Code Integrity DLL (skci.dll) for catalog validation, the default state of VBS lacks a Unified Extensible Firmware Interface (UEFI) lock. Consequently, attackers could disable it by tampering with registry keys. Even where a UEFI lock is in place, there remain avenues for exploitation, such as substituting key files with invalid versions.
The comprehensive steps an attacker would follow include disabling VBS in the Windows Registry, downgrading the ci.dll file, rebooting the system, and ultimately exploiting the DSE bypass method for kernel-level control. The only scenario where this attack falters is when VBS operates with a UEFI lock alongside a “Mandatory” flag, which could lead to system boot failures.
In light of these findings, it is critical for organizations to maintain VBS enabled with a UEFI lock and the Mandatory mode to mitigate the risk of such attacks. Security solutions must also proactively detect and block downgrade attempts on components, even those that don’t overtly breach security boundaries.
In response to these vulnerabilities, Microsoft is in the process of developing a new security update that would eliminate outdated VBS system files. A representative acknowledged the complexity of such measures and emphasized the importance of thorough testing to avoid potential integration failures. They also expressed appreciation for SafeBreach’s responsible disclosure of the vulnerability, affirming the company’s commitment to customer protection while undergoing a comprehensive remediation process.
As businesses continue to navigate the evolving landscape of cybersecurity threats, the necessity of vigilance and proactive security measures cannot be overstated. The use of the MITRE ATT&CK framework offers a foundational understanding of tactics such as privilege escalation and persistence, which are central to comprehending the methodologies employed in these attacks.
