Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A newly identified attack technique poses a significant threat to Microsoft’s Driver Signature Enforcement (DSE), enabling attackers to execute operating system downgrade attacks on fully patched Windows systems. According to SafeBreach researcher Alon Leviev, this vulnerability facilitates the loading of unsigned kernel drivers, which could be used to deploy custom rootkits to bypass security controls, conceal processes, and obscure network activities, among other malicious tasks.

This discovery builds upon earlier findings related to two privilege escalation vulnerabilities in the Windows update process—CVE-2024-21302 and CVE-2024-38202—allowing potential exploitation by reverting fully updated Windows software to older, unpatched versions containing known security flaws. The method is facilitated by a tool named Windows Downdate, intended to exploit and hijack the Windows Update process, creating undetectable and irreversible downgrades for essential OS components.

The ramifications of this vulnerability are serious, offering a more advantageous alternative to traditional Bring Your Own Vulnerable Driver (BYOVD) attacks, as it permits the downgrading of core system components, including the OS kernel. Microsoft has addressed the aforementioned vulnerabilities in updates issued on August 13 and October 8, 2024, as part of their Patch Tuesday initiatives.

Leviev’s analysis indicates that the Windows Downdate tool can exploit a previously addressed DSE bypass patch termed “ItsNotASecurityBoundary,” which was first documented by Elastic Security Labs in July 2024. This bypass operates based on a newly identified flaw class, codenamed False File Immutability, allowing attackers to manipulate trusted security catalog files with malicious versions containing authentic signatures for unsigned drivers.

The exploitation takes advantage of a race condition that enables the replacement of a verified security catalog file, misleading Microsoft’s code integrity mechanisms. By persuading the kernel to load a compromised driver, attackers can leverage this capability to execute arbitrary code at the kernel level, thereby compromising system integrity.

To achieve the DSE bypass, the method involves downgrading the core ci.dll library to a previous version to undo the security patch. Although Virtualization-Based Security (VBS) can potentially thwart these attempts by utilizing a different scanning mechanism (skci.dll), the issue arises since the default setting for VBS lacks a Unified Extensible Firmware Interface (UEFI) lock. This allows attackers to deactivate VBS through modifications in the registry.

Even if UEFI is configured to be active, there remain possibilities for an assailant to disable VBS by substituting critical files with invalid versions. The steps an attacker would follow include turning off VBS via registry changes, downgrading ci.dll, rebooting the system, and subsequently exploiting the DSE bypass to achieve kernel-level code execution.

The only scenario in which this attack vector fails is if VBS is enabled with a UEFI lock and a “Mandatory” flag, which causes boot failures if virtualization files are compromised. Microsoft’s documentation highlights that the Mandatory setting prevents system boot continuity if any malfunction occurs within virtualization components, emphasizing the importance of careful configuration before engaging this mode.

To fully mitigate the outlined threat, it is imperative for systems to have VBS active, alongside both a UEFI lock and the Mandatory flag established. Under any circumstances in which these conditions are not met, attackers could leverage the vulnerability to disable security features, execute DLL downgrades, and exploit the DSE bypass.

Leviev emphasizes that security solutions need to proactively detect and prevent downgrade processes, even for components not typically categorized within the established security boundaries. Following these revelations, Microsoft acknowledged the vulnerability and stated it is working on a security update to revoke outdated VBS files to further secure systems against potential exploitation. They emphasized the complexity involved in addressing this issue, ensuring rigorous testing to prevent integration failures or regressions.

Microsoft expressed gratitude for SafeBreach’s responsible reporting of the vulnerability and reiterated its commitment to developing comprehensive mitigations while emphasizing a thorough investigative and testing process to maximize customer protection and minimize operational disruptions.