A proof-of-concept (PoC) exploit has been publicly released for a pair of critical zero-day vulnerabilities in Microsoft Windows that enable a novel “downgrade attack.” The flaws tracked as CVE-2024-38202 and CVE-2024-21302 were originally disclosed by SafeBreach researcher Alon Leviev at Black Hat USA 2024 and DEF CON 32 earlier this month.
The vulnerabilities allow an attacker to manipulate the Windows Update process to stealthily downgrade a fully patched Windows system to an older, vulnerable state. This effectively turns previously fixed security holes into exploitable zero-day vulnerabilities again.
“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Alon Leviev of Safebreach explained in his original research.
Leviev has now released the PoC exploit, dubbed “Windows Downdate”, on GitHub. The tool automates the exploitation of the two zero-days to take control of the Windows Update process and craft “fully undetectable, invisible, persistent, and irreversible downgrades” on critical OS components.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Windows Downdate is able to bypass integrity verification, Trusted Installer enforcement, and other security checks to downgrade core Windows DLLs, drivers, and even the NT kernel itself. It can also downgrade Credential Guard and Hyper-V components to re-expose patched privilege escalation flaws.
The impact is severe – an attacker could use these techniques to quietly revert a fully up-to-date Windows deployment to a vulnerable state, re-enabling exploitation of any of thousands of previously patched vulnerabilities. Scanning and recovery tools are unable to detect malicious downgrades.
Windows Downdate abuses unprotected elements of the Windows Update architecture to stealthily downgrade a fully patched system to an older vulnerable state, while disabling key security features, in a way that is very difficult to detect and reverse.
“I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world,” Alon Leviev said.
Microsoft acknowledged the zero-days in a pair of advisories on August 7 and said it is working on patches. However, fixes are not yet available a month later, leading Leviev to publish the PoC to raise awareness and spur faster patching.
“Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available,” the company said in its advisory for CVE-2024-21302.
In the meantime, Microsoft has provided some mitigation steps, like implementing an Access Control List (ACL) or Discretionary Access Control List (DACL) to restrict access to the PoqexecCmdline registry key that enables the attack.
But security experts warn these measures are incomplete and easily bypassed by a determined attacker. The only full remediation will be to install the official security updates from Microsoft once available.
The incident highlights the potential dangers of so-called zero-day vulnerabilities in core OS components or designs that can be exploited to compromise systems and persistently re-expose patched vulnerabilities. It also underscores the need for more proactive research into these complex attack surfaces.
“Design features within an OS should always be reviewed and regarded as a relevant attack surface, regardless of how old the feature may be,” Alon Leviev said. “We believe other OSs may be equally susceptible to similar attack vectors and that all OS vendors must be vigilant against the dangers they pose.”
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces