Downgrade Attacks Allow Exploitation of Old Windows Vulnerabilities
At Black Hat 2024, SafeBreach specialist Alon Leviev revealed two 0-day vulnerabilities that can be used in downgrade attacks, making fully updated Windows 10, Windows 11, and Windows Server systems vulnerable to old bugs once again. Currently, there are no patches available for these issues.
Microsoft has released security bulletins addressing these vulnerabilities (CVE-2024-38202 and CVE-2024-21302), along with recommendations to mitigate risks until official fixes are released.
How Downgrade Attacks Work
Downgrade attacks (or version rollback attacks) force a fully patched and updated target device to revert to older software versions. This reintroduces previously fixed vulnerabilities, which attackers can then exploit.
Leviev discovered that the Windows Update process can be manipulated to downgrade critical OS components, including DLL libraries and the NT Kernel. Even after these components are downgraded, Windows Update still reports the system as fully updated and does not detect any issues.
Bypassing Security Features
The researcher was also able to downgrade Credential Guard Secure Kernel, Isolated User Mode Process, and Hyper-V, enabling exploitation of old privilege escalation vulnerabilities.
βI found several ways to disable Windows VBS security, including Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when UEFI locks are in place. As far as I know, this is the first time UEFI locks in VBS have been bypassed without physical access,β Leviev explained. βAs a result, I was able to make a fully updated Windows machine vulnerable to thousands of old vulnerabilities, turning already patched bugs into 0-days and making the term βfully patchedβ meaningless for any Windows system in the world.β
Detection and Disclosure
According to Leviev, these downgrade attacks are nearly impossible to detect, as they are not blocked by EDR solutions and Windows Update continues to report the device as fully updated.
Leviev notified Microsoft about the vulnerabilities back in February 2024. However, the company has stated that they are still working on fixes.
Details on the Vulnerabilities
According to Microsoft, the CVE-2024-38202 vulnerability, related to privilege escalation in Windows Backup, allows attackers with basic privileges to roll back patches for previously fixed bugs or bypass Virtualization Based Security (VBS) features. Attackers with administrator rights can use the issue to escalate privileges and replace Windows system files with outdated, vulnerable versions.
Microsoft has stated that, as of now, there is no evidence of these vulnerabilities being exploited in the wild. The company recommends following the guidance in the above-mentioned security bulletins to reduce the risk of exploitation until patches are released.