Windows ‘Downdate’ Tool Allows Downgrade Attacks on Updated Systems

August 27, 2024

SafeBreach security researcher Alon Leviev has developed a tool, 'Windows Downdate', that is capable of executing downgrade attacks on up-to-date Windows 10, Windows 11, and Windows Server systems. The tool enables threat actors to force such systems to revert to older software versions, thereby reintroducing security vulnerabilities that can be exploited to compromise the system.

Windows Downdate is an open-source Python-based program and also comes as a pre-compiled Windows executable. It can be used to downgrade various components of Windows 10, Windows 11, and Windows Server systems. Leviev has provided multiple examples of its usage, which include downgrading the Hyper-V hypervisor to a version that is two years old, the Windows Kernel, the NTFS driver, and the Filter Manager driver to their base versions, among other components and previously applied security patches.

As Leviev explains, 'You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more.' The tool also provides usage examples for reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, and downgrading the hypervisor and the kernel, as well as bypassing VBS's UEFI locks.

Leviev disclosed the Windows Downdate downgrade attack at Black Hat 2024, which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities. The tool is undetectable as it cannot be blocked by endpoint detection and response (EDR) solutions and Windows Update continues to report that the targeted system is up-to-date, even though it has been downgraded.

Leviev also discovered ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. 'To my knowledge, this is the first time VBS's UEFI locks have been bypassed without physical access,' Leviev said. 'As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term 'fully patched' meaningless on any Windows machine in the world.'

Microsoft has released a security update (KB5041773) to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw. However, the company has not yet provided a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability. Until a security update is released, Microsoft recommends customers to implement recommendations shared in an earlier published security advisory to protect against Windows Downdate downgrade attacks. These measures include configuring 'Audit Object Access' settings to monitor file access attempts, restricting update and restore operations, using Access Control Lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.

Related News

• Microsoft's August 2024 Patch Tuesday Addresses Nine Zero-Days, Six Currently Exploited
• Windows Update Downgrade Attack Exposes Fully-Updated Systems to Old Vulnerabilities

Latest News

• Chinese Hacking Group Volt Typhoon Exploits Versa Director Zero-Day Vulnerability
• Google Patches Tenth Chrome Zero-Day Exploited in 2024
• Versa Networks Addresses Zero-Day Vulnerability in Director Platform
• Critical Access Control Vulnerability Detected in SonicWall's SonicOS
• Chinese Hackers Leverage Zero-Day Cisco Switch Flaw for System Control