Ethical Hacking News
A new OS downgrade vulnerability has been uncovered by researchers, which could potentially allow attackers to bypass security controls on fully patched Microsoft Windows systems. The vulnerability targets the Driver Signature Enforcement (DSE) feature of the Windows kernel, allowing attackers to deploy custom rootkits and execute arbitrary code in the kernel. To mitigate this vulnerability, it is essential that organizations take proactive measures to detect and prevent such attacks.
Recently discovered "OS Downgrade Vulnerability" allows attackers to bypass security controls on fully patched Microsoft Windows systems. The vulnerability targets the Driver Signature Enforcement (DSE) feature of the Windows kernel, enabling loading of unsigned kernel drivers and deployment of custom rootkits. The attack technique involves exploiting a race condition to replace a verified security catalog file with a malicious version, allowing attackers to execute arbitrary code in the kernel. The vulnerability has significant implications, as it offers attackers a better alternative to Bring Your Own Vulnerable Driver (BYOVD) attacks and permitting them to downgrade first-party modules. Microsoft addressed the vulnerabilities with patch updates on August 13 and October 8, 2024, respectively. However, researchers found that Virtualization-Based Security (VBS) can prevent successful exploitation in some cases, but it is not a foolproof solution. To fully mitigate the attack, VBS must be enabled with UEFI lock and Mandatory flag set, requiring special care when enabling this mode.
Recently, a significant vulnerability has been uncovered by researchers that could potentially allow attackers to bypass security controls and execute arbitrary code on fully patched Microsoft Windows systems. The vulnerability, known as the "OS Downgrade Vulnerability," targets the Driver Signature Enforcement (DSE) feature of the Windows kernel, which is designed to prevent unsigned kernel drivers from loading.
According to SafeBreach researcher Alon Leviev, this bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more. The vulnerability was discovered in the form of a tool dubbed "Windows Downdate," which can be used to hijack the Windows Update process to craft fully undetectable, persistent, and irreversible downgrades on critical OS components.
The attack technique involves exploiting a race condition to replace a verified security catalog file with a malicious version containing authenticode signature for an unsigned kernel driver. The attacker then prompts the kernel to load the driver, which is then validated by the Microsoft's code integrity mechanism using the kernel mode library ci.dll. This allows the attacker to execute arbitrary code in the kernel, effectively granting them control over the system.
The vulnerability has significant implications, as it offers attackers a better alternative to Bring Your Own Vulnerable Driver (BYOVD) attacks, permitting them to downgrade first-party modules, including the OS kernel itself. Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as part of Patch Tuesday updates.
However, researchers have found that there is a security barrier that can prevent such a bypass from being successful. If Virtualization-Based Security (VBS) is running on the targeted host, the catalog scanning is carried out by the Secure Kernel Code Integrity DLL (skci.dll), as opposed to ci.dll. However, this does not necessarily mean that the vulnerability cannot be exploited in all cases.
The default configuration of VBS is without a Unified Extensible Firmware Interface (UEFI) Lock, which means that an attacker could turn it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys. Even if UEFI lock is enabled, the attacker could disable VBS by replacing one of the core files with an invalid counterpart.
In order to fully mitigate the attack, it is essential that VBS is enabled with UEFI lock and the Mandatory flag set. This means that special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
According to Leviev, "The main takeaway [...] is that security solutions should try to detect and prevent downgrade procedures even for components that do not cross defined security boundaries." This highlights the importance of proactive measures to detect and prevent such vulnerabilities, rather than relying solely on reactive patching.
In conclusion, the OS Downgrade Vulnerability has significant implications for Microsoft Windows kernel security. Attackers can potentially use this vulnerability to bypass DSE, allowing them to deploy custom rootkits and execute arbitrary code in the kernel. While there are some mitigations available, it is essential that organizations take proactive measures to detect and prevent such vulnerabilities.
Related Information:
https://thehackernews.com/2024/10/researchers-uncover-os-downgrade.html
https://www.wired.com/story/windows-update-downdate-exploit/
https://winbuzzer.com/2024/08/08/researchers-discover-downgrade-vulnerability-in-windows-update-xcxwbn/
Published: Mon Oct 28 00:55:55 2024 by llama3.2 3B Q4_K_M
