Headline
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
A new attack technique could be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. “This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more,” SafeBreach
A new attack technique could be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks.
“This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more,” SafeBreach researcher Alon Leviev said in a report shared with The Hacker News.
The latest findings build on an earlier analysis that uncovered two privilege escalation flaws in the Windows update process (CVE-2024-21302 and CVE-2024-38202) that could be weaponized to rollback an up-to-date Windows software to an older version containing unpatched security vulnerabilities.
The exploit materialized in the form of a tool dubbed Windows Downdate, which, per Leviev, could be used to hijack the Windows Update process to craft fully undetectable, persistent, and irreversible downgrades on critical OS components.
This can have severe ramifications, as it offers attackers a better alternative to Bring Your Own Vulnerable Driver (BYOVD) attacks, permitting them to downgrade first-party modules, including the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as part of Patch Tuesday updates.
The latest approach devised by Leviev leverages the downgrade tool to downgrade the “ItsNotASecurityBoundary” DSE bypass patch on a fully updated Windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Security Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a new bug class codenamed False File Immutability. Microsoft remediated it earlier this May.
In a nutshell, it exploits a race condition to replace a verified security catalog file with a malicious version containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the driver.
Microsoft’s code integrity mechanism, which is used to authenticate a file using the kernel mode library ci.dll, then parses the rogue security catalog to validate the signature of the driver and load it, effectively granting the attacker the ability to execute arbitrary code in the kernel.
The DSE bypass is achieved by making use of the downgrade tool to replace the “ci.dll” library with an older version (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having said, there is a security barrier that can prevent such a bypass from being successful. If Virtualization-Based Security (VBS) is running on the targeted host, the catalog scanning is carried out by the Secure Kernel Code Integrity DLL (skci.dll), as opposed to ci.dll.
However, It’s worth noting that the default configuration is VBS without a Unified Extensible Firmware Interface (UEFI) Lock. As a result, an attacker could turn it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in cases where UEFI lock is enabled, the attacker could disable VBS by replacing one of the core files with an invalid counterpart. Ultimately, the exploitation steps an attacker needs to follow are below -
- Turning off VBS in the Windows Registry, or invalidating SecureKernel.exe
- Downgrading ci.dll to the unpatched version
- Restarting the machine
- Exploiting ItsNotASecurityBoundary DSE bypass to achieve kernel-level code execution
The only instance where it fails is when VBS is turned on with a UEFI lock and a “Mandatory” flag, the last of which causes boot failure when VBS files are corrupted. The Mandatory mode is enabled manually by means of a registry change.
“The Mandatory setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load,” Microsoft notes in its documentation. “Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.”
Thus, in order to fully mitigate the attack, it’s essential that VBS is enabled with UEFI lock and the Mandatory flag set. In any other mode, it makes it possible for an adversary to turn the security feature off, perform the DDL downgrade, and achieve a DSE bypass.
“The main takeaway […] is that security solutions should try to detect and prevent downgrade procedures even for components that do not cross defined security boundaries,” Leviev told The Hacker News.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.
A researcher used two Windows vulnerabilities to perform downgrade attacks. These flaws have now been patched by Microsoft
A researcher used two Windows vulnerabilities to perform downgrade attacks. These flaws have now been patched by Microsoft
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft
Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions. The vulnerabilities are listed below - CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-21302
Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions. The vulnerabilities are listed below - CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-21302