Windows drags it's feet on patching a downgrade that can revert a patched system to vulnerable version
Take action: Nothing much you can do about these flaws except being aware of them and of the (lack of) speed of fixing. Make sure you keep your computer updated and a patch will eventually arrive. Or just move to Linux or MacOS.
Learn More
SafeBreach security researcher Alon Leviev unveiled at Black Hat 2024 two zero-day vulnerabilities that could be exploited in downgrade attacks, allowing fully updated Windows 10, Windows 11, and Windows Server systems to be "unpatched" and exposed to old vulnerabilities.
These vulnerabilities are tracked as
CVE-2024-38202 - This vulnerability pertains to the Windows Update Stack Elevation of Privilege, allowing attackers with basic user privileges to "unpatch" previously mitigated security bugs or bypass Virtualization Based Security (VBS) features.
CVE-2024-21302 - This vulnerability involves Windows Secure Kernel Mode Elevation of Privilege, enabling attackers with admin privileges to replace Windows system files with outdated and vulnerable versions.
Exploitation Details
Leviev demonstrated that the Windows update process could be compromised to downgrade critical OS components, such as dynamic link libraries (DLLs) and the NT Kernel. Despite these components being outdated, the operating system reported as fully updated, making it undetectable by recovery and scanning tools. This includes downgrading Credential Guard's Secure Kernel and Isolated User Mode Process and Hyper-V's hypervisor to reintroduce past privilege escalation vulnerabilities.
These vulnrabilities can make make Windows machines susceptible to thousands of past vulnerabilities. The revert is undetectable by endpoint detection and response (EDR) solutions, and Windows Update incorrectly reports that the device is fully updated despite being downgraded.
Leviev has reported the flaws to Microsoft in February as part of a coordinated responsible disclosure process. The flaws are not patched.
Microsoft issued advisories coinciding with Leviev's disclosure and provided mitigation recommendations. While it's true that exploitation requires specifc conditions to be met, the delay of 6 months is huge and the advisories suggest mitigating measures which are pathetic at best.
Microsoft explained that they are actively working on updates to revoke outdated, unpatched VBS system files to mitigate the attack, which requires extensive testing due to the large number of affected files. Microsoft acknowledged the issue but confirmed no known exploitation attempts in the wild.
