This week at the Black Hat conference in Las Vegas, Alon Leviev, a researcher from SafeBreach, unveiled a series of techniques that could allow unauthorized users to forcibly remove security patches from Windows machines. These methods, while alarming, primarily serve those who already possess administrative access or can manipulate privileged accounts, enabling them to exploit previously fixed vulnerabilities.
Leviev’s approach draws inspiration from the BlackLotus UEFI bootkit, which downgraded the Windows boot manager, thereby bypassing Secure Boot. In an interview, he explained,
“I found a way to take over Windows updates to update the system, but with control over all of the actual update contents. I was able to downgrade the OS kernel, DLLs, drivers … basically everything that I wanted.”
Technical Insights
The techniques demonstrated are applicable to Windows 10, 11, and Windows Server editions, including their virtualization support. Leviev noted that the entire virtualization stack is susceptible to these downgrades, stating, “It’s simple to downgrade credential guard, the secure kernel, and even the hypervisor itself, and compromising the hypervisor gives even more privilege than the kernel, which makes it even more valuable.”
What sets this method apart is its stealthiness. Leviev emphasized that the process is undetectable, as it appears to be a legitimate system update rather than an installation of malicious software. “It is fully undetectable because it’s performed in the most legitimate way [and] is invisible because we didn’t install anything – we updated the system,” he explained.
Microsoft’s Response
In light of these findings, Microsoft was informed of the vulnerabilities six months prior to the conference. To coincide with Leviev’s presentation, the tech giant issued two out-of-band advisories aimed at addressing the identified weaknesses. While Microsoft has acknowledged the vulnerabilities, a comprehensive fix has yet to be developed.
In a statement, Microsoft expressed appreciation for SafeBreach’s responsible disclosure, stating, “We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.”
The first advisory, tracked as CVE-2024-38202, addresses an elevation-of-privilege vulnerability within the Windows Update Stack. It notes that an attacker with basic user privileges could potentially reintroduce previously mitigated vulnerabilities or bypass certain features of Virtualization Based Security (VBS). Although Microsoft is working on a security update, it is not yet available.
Microsoft also highlighted that while this vulnerability could be exploited by non-privileged users, additional steps involving a privileged account are necessary to execute the unauthorized rollback of updates. “An attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful,” the company stated.
The second advisory, CVE-2024-21302, pertains to a Windows secure kernel mode elevation-of-privilege vulnerability, which requires administrative rights to exploit. This vulnerability could allow an attacker to replace current Windows system files with outdated versions, thereby reintroducing previously mitigated vulnerabilities and exfiltrating data protected by VBS.
To illustrate the potential impact of these vulnerabilities, Leviev introduced a proof-of-concept tool named Windows Downdate at Black Hat. This tool is expected to be made available for users to evaluate their systems’ vulnerabilities. For those interested, Leviev has published his findings in full, shedding light on the intricacies of these security concerns.
