Recent findings have revealed a significant vulnerability in fully patched Windows 11 systems, exposing them to potential attacks that could allow adversaries to install custom rootkits. These rootkits can effectively neutralize endpoint security mechanisms, conceal malicious processes and network activity, and maintain persistence on compromised systems.
The vulnerability stems from a technique known as a d downgrade attack, which was demonstrated by SafeBreach security researcher Alon Leviev at Black Hat USA 2024. During his presentation, Leviev introduced an exploit tool named Windows Downdate, illustrating how an attacker with administrative access could manipulate the Windows Update process. This manipulation enables the reversion of fully patched Windows components—including dynamic link libraries, drivers, and the kernel—back to previously vulnerable states.
Windows OS Downgrade Attack
Leviev’s demonstration revealed that even organizations employing virtualization-based security (VBS) to safeguard critical OS components are not immune. He showcased the ability to downgrade VBS features such as Secure Kernel and Credential Guard’s Isolated User Mode Process, thereby exposing privilege escalation vulnerabilities that Microsoft had previously addressed.
In his own words, Leviev noted, “I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term ‘fully patched’ meaningless on any Windows machine in the world.”
Since the demonstration, Microsoft has patched two vulnerabilities, CVE-2024-21302 and CVE-2024-38202, which Leviev reported after discovering them during his attack chain. However, the company has yet to address the core issue: the potential for an attacker with admin access to exploit the Windows Update process to downgrade critical OS components back to insecure states.
Not a Security Vulnerability?
The crux of the issue lies in Microsoft’s stance that the ability for an admin-level user to gain kernel code execution does not constitute crossing a security boundary. Leviev explained, “Microsoft did fix every vulnerability that resulted from crossing a defined security boundary. Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed.”
To further illustrate the ongoing threat, Leviev released details of a new Windows downgrade attack on October 26. He employed his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had previously mitigated with its patch for CVE-2024-21302. This revival demonstrated how an attacker could exploit the issue to load unsigned kernel drivers and deploy custom rootkits.
Leviev categorized this new flaw as part of a class known as False File Immutability (FFI), which exploits incorrect assumptions about file immutability. He explained that all he needed to do was identify the specific OS module (CI.dll) that Microsoft had patched and then utilize his Downdate tool to revert it to its unpatched version. “Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine,” he noted.
Leviev emphasized that he could execute the attack even with VBS enabled, regardless of whether UEFI lock was in place to secure the boot process. He stated, “To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the ‘Mandatory’ flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade ci.dll, and successfully exploit the flaw.”
Tim Peck, a senior threat researcher at Securonix, commented on the Windows Downdate attacks, noting that they exploit Windows’ failure to consistently validate the version numbers of its DLLs when loading them. This oversight allows attackers to trick the operating system into utilizing outdated files that are more vulnerable to exploitation. “If the attacker is able to downgrade Windows Defender, especially regarding security updates, they would have free rein to execute malicious files or tactics that would normally have been caught,” he explained.
Microsoft Is Now Working on a Fix
A Microsoft spokesperson confirmed that the company is “actively developing mitigations to protect against these risks,” although specific measures and timelines remain undisclosed. The spokesperson elaborated that the company is thoroughly investigating update development and compatibility issues.
“We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat,” the spokesperson stated. “Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.”
Microsoft will also continue to provide updates regarding CVE-2024-21302, along with additional mitigation or relevant risk reduction guidance as it becomes available.
