downgrade attacks

Tech Optimizer
May 27, 2025
Hackers are increasingly targeting the startup sequence of systems, focusing on BIOS, UEFI, and bootloaders, which allows them to bypass traditional operating system defenses. Firmware threats often evade conventional security measures, providing attackers with a persistent foothold. Notable bootkits like BlackLotus, BootHole, and EFILock exploit vulnerabilities in boot components, even those protected by Secure Boot. Attackers can embed malicious code in firmware or replace legitimate bootloaders, maintaining control through OS reinstalls and hardware replacements. Common attack vectors include compromised storage, network connections, or console inputs during boot. Malicious code can execute before security software activates, and attackers may exploit misconfigured or outdated signature databases, as well as downgrade attacks on older firmware versions. To mitigate these threats, organizations should enforce Secure Boot policies, regularly update signature databases, and monitor boot behavior for anomalies.
Winsage
October 28, 2024
Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.
Winsage
October 28, 2024
Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.
Winsage
October 28, 2024
A newly identified attack technique poses a risk to fully patched Windows systems by circumventing Microsoft's Driver Signature Enforcement (DSE), potentially enabling operating system downgrade attacks that allow malicious actors to load unsigned kernel drivers. This vulnerability is linked to two privilege escalation flaws in the Windows update mechanism, identified as CVE-2024-21302 and CVE-2024-38202, which can be exploited to revert updated systems to earlier versions with unpatched security weaknesses. A tool called Windows Downdate can hijack the Windows Update process, facilitating undetectable downgrades of critical OS components. The exploit takes advantage of a race condition to replace a verified security catalog file with a malicious version, allowing the loading of an unsigned kernel driver. The DSE bypass can be executed by downgrading the "ci.dll" library, but can be thwarted if Virtualization-Based Security (VBS) is active on the host. Attackers can disable VBS by manipulating registry keys, and the attack fails only if VBS is enabled with a UEFI lock and a "Mandatory" flag, which prevents booting if VBS files are corrupted. Microsoft has addressed the vulnerabilities in August and October 2024.
Winsage
October 26, 2024
SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.
Winsage
August 28, 2024
At the Black Hat 2024 conference, SafeBreach researcher Anon Leviev introduced a tool called Windows Downdate, which can silently reverse security patches on Windows 10, Windows 11, and Windows Server systems. This open-source Python program allows users to execute downgrade attacks, reintroducing previously patched vulnerabilities, including CVE-2024-21302 and CVE-2024-38202. The tool can bypass Windows Update, making it appear that the system is fully updated while it has been downgraded. Leviev demonstrated its use by reverting the Hyper-V hypervisor and other Windows components to earlier versions. Microsoft released a security update on August 7 for CVE-2024-21302 but has not yet issued a patch for CVE-2024-38202. Until a patch is available, Microsoft recommends users follow specific security guidelines to mitigate risks.
Winsage
August 27, 2024
SafeBreach security researcher Alon Leviev has introduced a tool called Windows Downdate, which enables downgrade attacks on Windows 10, Windows 11, and Windows Server systems, allowing malicious actors to revert updated devices to older software versions and exploit previously patched vulnerabilities. The tool is open-source and built on Python, facilitating the downgrading of system components such as the Hyper-V hypervisor and Windows Kernel. Leviev provided examples of reverting patches for vulnerabilities like CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault. The tool exploits vulnerabilities CVE-2024-21302 and CVE-2024-38202 and operates undetected by endpoint detection solutions, misleading users into believing their systems are up-to-date. Leviev demonstrated methods to disable Windows virtualization-based security (VBS) features without physical access. Microsoft released a security update (KB5041773) on August 7 to address CVE-2024-21302, but a patch for CVE-2024-38202 is still pending. Microsoft advises customers to implement protective measures, including configuring "Audit Object Access" settings, restricting update operations, utilizing Access Control Lists, and auditing privileges.
Winsage
August 14, 2024
Microsoft released an update on August 14, 2024, addressing 90 security vulnerabilities, including 10 zero-day flaws, with six actively exploited. Nine vulnerabilities are classified as Critical, 80 as Important, and one as Moderate. The six actively exploited zero-days include: - CVE-2024-38189 (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability - CVE-2024-38178 (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability - CVE-2024-38193 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability - CVE-2024-38106 (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability - CVE-2024-38107 (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability - CVE-2024-38213 (CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability CVE-2024-38213 allows attackers to bypass SmartScreen protections by persuading users to open malicious files. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring federal agencies to implement fixes by September 3, 2024. Four publicly known vulnerabilities include: - CVE-2024-38200 (CVSS score: 7.5) - Microsoft Office Spoofing Vulnerability - CVE-2024-38199 (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability - CVE-2024-21302 (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability - CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-38198 (CVSS score: 7.8) is a privilege escalation flaw in the Print Spooler component. Microsoft has not yet provided updates for CVE-2024-38202 and CVE-2024-21302. Additionally, a denial-of-service flaw in the Common Log File System driver (CVE-2024-6768, CVSS score: 6.8) could lead to system crashes. A Microsoft spokesperson stated that the DoS issue does not require immediate servicing but will be considered for future updates. Other vendors have also released security updates addressing multiple vulnerabilities.
Search