[German]Old topic new revisited. Attackers can downgrade Windows kernel components and thus bypass the protection of the operating system through functions such as Driver Signature Enforcement. This allows rootkits to be used on fully patched systems. SafeBreach security researcher Alon Leviev has reported the problem to Microsoft, but they do not want to do anything about it.
Advertising
Old downgrade attack
I had already reported in August 2024 in the article Vulnerability in Windows Update allows downgrade attacks (August 2024) that SafeBreach security researcher Alon Leviev had pointed out a vulnerability in Windows Update.
By exploiting a downgrade opportunity, he discovered the vulnerability CVE-2024-21302, which allows privilege escalation and affects the entire Windows virtualization stack. This made it possible for him to use a downgrade attack to make a fully patched Windows vulnerable to attacks without the user being able to detect this.
New downgrade attack
Now the security researcher has followed up on October 26, 2024 in the article An Update on Windows Downdate, as I could see in the following tweet (Bleeping Computer mentioned it here).
Windows has a protection mechanism (Driver Signature Enforcement) that is designed to prevent unsigned, insecure drivers from being installed. In a new publication, Leviev shows how an attacker with administrator rights on a target computer can exploit the Windows update process to bypass the Driver Signature Enforcement (DSE) protection.
Advertising
To do this, the security researcher downgrades a Windows component on a fully patched Windows 11 in such a way that the DSE protection no longer takes effect. The background is explosive: while Microsoft patched the above-mentioned vulnerabilities CVE-2024-21302, the possibility of attackers taking over Windows Update, which was also reported to Microsoft by the security researcher, remained unpatched. Microsoft said that no defined security limit had been exceeded. This is because executing kernel code as an administrator is not considered a breach of a security boundary (and not a security vulnerability).
Microsoft has made a number of improvements in Windows 11 aimed at making it more difficult to compromise the kernel and increasing the hurdle for attackers. One of the security improvements to the kernel is the Driver Signature Enforcement (DSE) function.
However, the ability to downgrade components in the kernel unfortunately makes things much easier for attackers, writes the security researcher. He was able to show how the "takeover of Windows Update" makes it possible to bypass the Driver Signature Enforcement (DSE) function.
This bypass allows the loading of unsigned kernel drivers. This allows attackers to inject custom rootkits, disable security controls, hide processes and network activity, maintain stealth, and more. Details can be found in the article An Update on Windows Downdate.
Advertising
