Windows Downdate tool lets you ‘unpatch’ Windows systems


SafeBreach security researcher Alon Leviev has released his Windows Downdate tool, which can be used for downgrade attacks that reintroduce old vulnerabilities in up-to-date Windows 10, Windows 11, and Windows Server systems.

In such attacks, threat actors force up-to-date targeted devices to revert to older software versions, thus reintroducing security vulnerabilities that can be exploited to compromise the system.

Windows Downdate is available as an open-source Python-based program and a pre-compiled Windows executable that can help downgrade Windows 10, Windows 11, and Windows Server system components.

Leviev has also shared multiple usage examples that allow downgrading the Hyper-V hypervisor (to a two-year-old version), Windows Kernel, the NTFS driver, and the Filter Manager driver (to their base versions), and other Windows components and previously applied security patches.

“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more,” SafeBreach security researcher Alon Leviev explained.

“Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”

Leviev-Windows-Downdate-tweet

As Leviev said at Black Hat 2024 when he disclosed the Windows Downdate downgrade attack—which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities—using this tool is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions and Windows Update keeps reporting that the targeted system is up-to-date (despite being downgraded).

“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev said.

“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”

While Microsoft released a security update (KB5041773) to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw on August 7, the company has yet to provide a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.

Until a security update is released, Redmond advises customers to implement recommendations shared in the security advisory published earlier this month to help protect against Windows Downdate downgrade attacks.

Mitigation measures for this issue include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, using Access Control Lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.



Source link