[German]A security researcher from SafeBreach has taken a closer look at the Microsoft Windows update architecture. He discovered vulnerabilities in the operating system's update function (which are basically serious design flaws) that enable a downgrade attack. An attacker can thus roll back security updates that have already been installed and even prevent the installation of further updates, so that the supposedly patched vulnerabilities continue to exist. This manipulation is not recognizable and is not shown. Microsoft has been aware of this since February 2024, but has not yet provided any update to close the vulnerability – only some advisories has been published yesterday.
Advertising
What are downgrade attacks?
It is a clever method of attack that basically boils down to a very unpleasant story that jeopardizes the security of Windows. In downgrade attacks, the software (in this case Windows) is forced to revert to an older version that is vulnerable to vulnerabilities. In the case of Windows, for example, this would mean that updates are uninstalled and the installation of new updates is prevented. In addition, the attack could be carried out in such a way that the user does not even notice it because the software reports that it is up to date.
MS has blocked BlackLotus downgrade attacks
Windows security is not always at its best. In 2023, the infamous BlackLotus UEFI bootkit emerged, which downgrades the Windows boot manager to an older version in order to bypass Secure Boot (see BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11). Sicherheitsforscher von ESET hatte das Problem gefunden.
Microsoft has responded in the context of the BlackLotos UEFI bootkit. Firstly, there is a patch to close the vulnerability. And Windows has been retrofitted with protection against unintentional downgrading of the Secure Boot.
Downgrade attacks via Windows Update
Security researcher Alon Leviev from SafeBreach Labs has taken a closer look at the Microsoft Windows update process as a result of the Black Lotus attack. He wonders whether downgrade attacks, such as those seen with Black Lotus, are possible via Windows Update. In search of an undetectable downgrade flow, the security researchers then took a closer look at Windows Update. The update mechanism is probably the least suspicious unit for the execution of downgrade attacks.
In the process, Leviev discovered vulnerabilities that allow him to uninstall installed security updates and thus open up vulnerabilities that have already been closed. He has thus identified the Achilles' heel of Windows Update, which makes it possible to take complete control of the update process.
Advertising
The security researcher has managed to create downgrade updates for Windows, bypassing all verification steps during the update installation. This also includes the enforcement of the use of Trusted Installer enforced by Windows, writes Leviev. In this way, the security researcher was able to roll back the operating system to an older patch version.
Using techniques developed by the security researcher, critical operating system components, including DLLs, drivers and even the NT kernel, were downgraded in terms of update status. The operating system then reported that it had been fully updated and was unable to install future updates. No problems were detected by the recovery and scanning tools.
The researchers then searched the Windows internals further and discovered that the entire virtualization stack was also at risk. They successfully downgraded the Hyper-V hypervisor, the Secure Kernel and the Isolated User Mode process of Credential Guard. This makes it possible to uncover previous privilege escalation vulnerabilities.
Presentation at BlackHat 2024 in the USA
Security researcher Alon Leviev from SafeBreach Labs is presenting this problem at the BlackHat 2024 conference currently taking place. A presentation on Windows Downdate: Downgrade Attacks Using Windows Updates has been announced for August 7, 2024.
In the session linked above, Leviev showed what vulnerabilities exist in this regard on August 7, 2024. If I interpret it correctly, these vulnerabilities can be exploited by unprivileged users [Addendum: Initially, Leviev probably had administrator rights]. Quote from the security researcher:
By downgrading, I was able to make a fully patched Windows machine vulnerable to thousands of vulnerabilities from the past, turning fixed vulnerabilities into zero-days and rendering the term "fully patched" meaningless on any Windows machine in the world.
Leviev also delivered a paper at defcon, which can be accessed via this link.
No patch available
Microsoft has been aware of the problem since February 2024, as the company was informed by Leviev. When the security researcher reported the vulnerability, he was informed that Microsoft had not yet done anything with regard to a security update – the whole thing remains unpatched to this day according to current knowledge.
Microsoft issued CVE-2024-21302 and CVE-2024-38202 —and sent the following official response:
"We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption."
More details available
After publishing my German article, I found this morning also the blog post Windows Downdate: Downgrade Attacks Using Windows Updates from August 7, 2024 in the Safebreach blog, where further details are given. The following tweet also provides a link in the meantime (it wasn't available last night).
The article is well worth reading because it names the horse and rider and explains how attacks can be carried out via the Windows update mechanism (action lists, pending.xml etc.). When analyzing the facts, the security researcher came across the following, for example:
- Only the catalog files containing the updates are digitally signed.
- The files for the manifest and the MUMs are not explicitly signed, but are signed by the catalog files.
- Differential files used for the update are also not signed.
The differential files also control the content of the final update file. If you manage to manipulate these files, you have the key to the vault, so to speak. The security researcher has succeeded in completely taking over Windows Update with a downgrade attack:
- Fully undetectable. As the downgrade attack was carried out in a legitimate manner, no malicious activity is detectable.
- Invisible. he downgrade attack technically "updates" the system so that it appears fully updated.
- Persistent. The security researcher discovered that the action list parser poqexec.exe is not digitally signed. Therefore, he was able to create a patch that installs empty updates, which means that all newly available updates are installed incorrectly (everything looks ok on the outside, but the patch is not installed).
- Irreversible. The security researcher also discovered that the integrity and repair program SFC.exe is not digitally signed. With a patched version, the security researcher ensured that SFC no longer recognizes any damage.
There is still DISM.exe, but it recognizes damage in the component memory. Therefore, there is no reason to change this program, the component memory is intact – the downgrade attack via Windows Update starts in the update installation process and ensures that the Trusted Installer cannot execute the fixes – files to be replaced during the update are simply no longer updated, but Windows reports a successfully installed update.
The above information splinters show why Microsoft cannot patch the "problem" quickly. At the moment, I cannot estimate how simple the attack is (for example: can it be carried out remotely or only locally). At the very least, there are indications that the entire Windows update architecture is shaky. In my opinion, Microsoft's failings over the last few decades are falling heavily on its feet.
For cyber attackers, the only question is: how much effort is involved and is there an easier way to achieve penetration? But state actors will take a very close look at the new findings and develop appropriate strategies. Let's see how Microsoft reacts – there could be the next big earthquake in the Windows universe.
Microsoft has announced a Secure Future Initiative. But I fear that this will fizzle out or it will be far too late. If I look at the following list of links to posts here in the blog, there is now a major incident or disaster every few weeks. With the above findings, administrators can no longer be sure that an operating system displayed as "fully patched" is really up to date. The question remains: "Who is the elephant in the room?"
Similar articles
BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11
KB5025885: Secure boot hardening against vulnerability CVE-2023-24932 (Black Lotus)
Worldwide outage of Microsoft 365 (July 19, 2024)
Windows systems throw BSOD due to faulty CrowdStrike update
Why numerous IT systems around the world failed due to two errors on July 19, 2024
CrowdStrike analysis: Why an empty file led to BlueSceen
Review of the CrowdStrike incident, the biggest computer glitch of all time
CrowdStrike incident: sensor failure as a previously unknown side effect?
CrowdStrike: Investigation report; amount of damages and compensation; attribution of blame
Microsoft's analysis of the CrowdStrike incident and recommendations
CrowdStrike: New report, current status, lawsuits and more
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
How Midnight Blizzard hackers were able to penetrate Microsoft's email system
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft: News from the Midnight Blizzard hack – customers may also be affected
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Whistleblower: Microsoft ignored warnings about AD bug; was exploited in 2020 SolarWinds hack
Microsoft engages in damage limitation at congressional hearing (13.6.2024): Safety takes priority over AI
Midnight Blizzard hack: Microsoft sends notification to customers by email that ends up in SPAM folders
Advertising
Moin Mr Born,
nice that you are immer noch im Geschäft.
Eine Bank im trostlosen und doch motivierenden IT Leben.
But warum is hier alles auf Englisch? And in der Suche from the Hauptseite with the Keyword "vulnerability" is this Artikel in German nature Speaking not zu finden.
What is there los??
To much to much to do by to wenig Zeit?
Lovely Greetings from a fan, who visit your seite years ago.
Leider in cause of the Zeit you know..
Well, some readers are clever and understand, that I run two IT blogs – one is written in German, and the other cover selected blog posts from my German IT blog in a customized English fashion. As long as I don't forgot to cross link those article, it's simple to use the link at the article begin to switch between both version.
I plan to continue this still for a while – because it offers me the possibility to spill flaws to Microsofts englisch speaking software engineers.