A new tool called Windows Downdate, developed by Alon Leviev from SafeBreach, enables the downgrade of Windows 10, Windows 11, and Windows Server systems, presenting significant security challenges. The tool can reverse devices to outdated software versions, reinstating vulnerabilities that had been previously resolved.
I first reported on the Downdate issue earlier this month when the issue became public. Termed “Downdate,” this exploit manipulates the update mechanism, which relies on user PC and Microsoft server communications involving update folders and action lists.
Functionality and Operation
The tool, available as both an open-source Python script and a Windows executable on GitHub, targets various Windows components such as the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, reverting them to their original versions. Leviev has showcased how to use Windows Downdate to undo patches for specific vulnerabilities like CVE-2021-27090, CVE-2022-34709, and CVE-2023-21768.
If you have not checked it out yet, Windows Downdate tool is live! You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more!https://t.co/59DRIvq6PZ
— Alon Leviev (@_0xDeku) August 25, 2024
By exploiting vulnerabilities CVE-2024-21302 and CVE-2024-38202, the tool operates undetected by most endpoint detection and response (EDR) solutions. Despite downgrading, the Windows Update system inaccurately indicates that the system is up to date. The flaw allows attackers to deactivate Windows virtualization-based security features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when these features are protected by UEFI locks.
Microsoft’s Action Plan
Microsoft has acknowledged the issue by releasing security update KB5041773 to address CVE-2024-21302. Nevertheless, CVE-2024-38202 remains unpatched. To counteract downgrade attacks, Microsoft advises users to follow guidelines outlined in their security advisory, which include configuring “Audit Object Access” settings, limiting update and restore operations, using Access Control Lists to restrict file access, and auditing system privileges to detect exploitation attempts.
Windows Downdate was demonstrated at both Black Hat USA 2024 Briefings and DEFCON 32, stressing its ramifications on system security. To utilize the tool, users must clone the repository, install the tool via Python, and run it with a configuration XML file specifying which files to downgrade.
Last Updated on November 7, 2024 3:06 pm CET