In order to bypass Windows security features, in particular Driver Signature Enforcement, attackers can downgrade the versions of system kernel components and deploy rootkits in it. Hackers are able to take control of the Windows update mechanism in order to introduce outdated and vulnerable software components onto the updated machine – while the system formally maintains its status up-to-date.
Image source: Ricardo Resende / unsplash.com
The problem was reported by SafeBreach expert Alon Leviev, but Microsoft rejected it, saying that it does not exceed the specified threat level because it allows code to run in the kernel only with administrator privileges. The researcher has developed and published a Windows Downdate tool that allows you to arbitrarily downgrade components and re-open already known vulnerabilities on a seemingly completely updated OS. He managed to bypass the Driver Signature Enforcement (DSE) feature, which allows a hypothetical attacker to download unsigned drivers and deploy a rootkit that disables security controls. In this case, the hacker’s actions will remain unnoticed.
While studying the mechanism of malicious rollback of component versions, Leviev discovered a vulnerability, which was assigned the number CVE-2024-21302. It allows you to escalate user privileges, and Microsoft has closed it. But the Windows Update vulnerability remains relevant. The attack, as demonstrated by the researcher, is carried out by replacing the ci.dll file, responsible for ensuring the operation of DSE, with an older version, which does not require drivers to be signed and allows them to bypass security measures – a vulnerable copy of the library is loaded into memory immediately after Windows begins checking its latest copy. As a result, the system “thinks” it has verified the file and allows unsigned drivers to be loaded into the kernel.
The expert described a method for disabling or bypassing Microsoft Virtualization-based Security (VBS), which creates an isolated environment in Windows to protect important resources. Usually, UEFI and registry configuration changes are blocked for this, but it can be disabled if it does not have maximum security settings – to do this, you need to change one of the keys in the registry. When partially disabled, some VBS files may be replaced by vulnerable versions, opening the door to interference with Windows Update. Mr. Leviev points out that downgrade procedures must be carefully monitored, even if these procedures do not exceed specified threat levels.