{"id":34746,"date":"2024-08-08T14:44:32","date_gmt":"2024-08-08T12:44:32","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=34746"},"modified":"2024-08-08T14:48:14","modified_gmt":"2024-08-08T12:48:14","slug":"vulnerability-in-windows-update-allows-downgrade-attacks-august-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/08\/08\/vulnerability-in-windows-update-allows-downgrade-attacks-august-2024\/","title":{"rendered":"Vulnerability in Windows Update allows downgrade attacks (August 2024)"},"content":{"rendered":"

\"Windows\"[German<\/a>]A security researcher from SafeBreach has taken a closer look at the Microsoft Windows update architecture. He discovered vulnerabilities in the operating system's update function (which are basically serious design flaws) that enable a downgrade attack. An attacker can thus roll back security updates that have already been installed and even prevent the installation of further updates, so that the supposedly patched vulnerabilities continue to exist. This manipulation is not recognizable and is not shown. Microsoft has been aware of this since February 2024, but has not yet provided any update to close the vulnerability – only some advisories has been published yesterday.<\/p>\n

<\/p>\n

What are downgrade attacks?<\/h2>\n

\"\"It is a clever method of attack that basically boils down to a very unpleasant story that jeopardizes the security of Windows. In downgrade attacks, the software (in this case Windows) is forced to revert to an older version that is vulnerable to vulnerabilities. In the case of Windows, for example, this would mean that updates are uninstalled and the installation of new updates is prevented. In addition, the attack could be carried out in such a way that the user does not even notice it because the software reports that it is up to date.<\/p>\n

MS has blocked BlackLotus downgrade attacks<\/h2>\n

Windows security is not always at its best. In 2023, the infamous BlackLotus UEFI bootkit emerged, which downgrades the Windows boot manager to an older version in order to bypass Secure Boot (see BlackLotus UEFI bootkit bypasses Secure Boot in Windows 11<\/a>). Sicherheitsforscher von ESET hatte das Problem gefunden.<\/p>\n

Microsoft has responded in the context of the BlackLotos UEFI bootkit. Firstly, there is a patch to close the vulnerability. And Windows has been retrofitted with protection against unintentional downgrading of the Secure Boot.<\/p>\n

Downgrade attacks via Windows Update<\/h2>\n

Security researcher Alon Leviev from SafeBreach Labs has taken a closer look at the Microsoft Windows update process as a result of the Black Lotus attack. He wonders whether downgrade attacks, such as those seen with Black Lotus, are possible via Windows Update. In search of an undetectable downgrade flow, the security researchers then took a closer look at Windows Update. The update mechanism is probably the least suspicious unit for the execution of downgrade attacks.<\/p>\n

In the process, Leviev discovered vulnerabilities that allow him to uninstall installed security updates and thus open up vulnerabilities that have already been closed. He has thus identified the Achilles' heel of Windows Update, which makes it possible to take complete control of the update process.<\/p>\n

The security researcher has managed to create downgrade updates for Windows, bypassing all verification steps during the update installation. This also includes the enforcement of the use of Trusted Installer enforced by Windows, writes Leviev. In this way, the security researcher was able to roll back the operating system to an older patch version.<\/p>\n

Using techniques developed by the security researcher, critical operating system components, including DLLs, drivers and even the NT kernel, were downgraded in terms of update status. The operating system then reported that it had been fully updated and was unable to install future updates. No problems were detected by the recovery and scanning tools.<\/p>\n

The researchers then searched the Windows internals further and discovered that the entire virtualization stack was also at risk. They successfully downgraded the Hyper-V hypervisor, the Secure Kernel and the Isolated User Mode process of Credential Guard. This makes it possible to uncover previous privilege escalation vulnerabilities.<\/p>\n

Presentation at BlackHat 2024 in the USA<\/h2>\n

Security researcher Alon Leviev from SafeBreach Labs is presenting this problem at the BlackHat 2024 conference currently taking place. A presentation on Windows Downdate: Downgrade Attacks Using Windows Updates<\/a> has been announced for August 7, 2024.<\/p>\n

\"Windows-Sicherheit\"<\/a><\/p>\n

In the session linked above, Leviev showed what vulnerabilities exist in this regard on August 7, 2024. If I interpret it correctly, these vulnerabilities can be exploited by unprivileged users [Addendum: Initially, Leviev probably had administrator rights]. Quote from the security researcher:<\/p>\n

By downgrading, I was able to make a fully patched Windows machine vulnerable to thousands of vulnerabilities from the past, turning fixed vulnerabilities into zero-days and rendering the term \"fully patched\" meaningless on any Windows machine in the world.<\/p>\n

Leviev also delivered a paper at defcon, which can be accessed via this link<\/a>.<\/p><\/blockquote>\n

No patch available<\/h2>\n

Microsoft has been aware of the problem since February 2024, as the company was informed by Leviev. When the security researcher reported the vulnerability, he was informed that Microsoft had not yet done anything with regard to a security update – the whole thing remains unpatched to this day according to current knowledge.<\/p>\n

Microsoft issued CVE-2024-21302<\/a>\u00a0and\u00a0CVE-2024-38202<\/a> \u2014and sent the following official response:<\/p>\n

\n
\n
\"We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure.\u202fWe are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.\"<\/em><\/div>\n<\/blockquote>\n<\/div>\n

More details available<\/h2>\n

After publishing my German article, I found this morning also the blog post Windows Downdate: Downgrade Attacks Using Windows Updates<\/a> from August 7, 2024 in the Safebreach blog, where further details are given. The following tweet<\/a> also provides a link in the meantime (it wasn't available last night).<\/p>\n

\"Windows<\/a><\/p>\n

The article is well worth reading because it names the horse and rider and explains how attacks can be carried out via the Windows update mechanism (action lists, pending.xml etc.). When analyzing the facts, the security researcher came across the following, for example:<\/p>\n