Microsoft has acknowledged the presence of two critical vulnerabilities that could be exploited to launch
downgrade attacks against the Windows update mechanism, potentially replacing current OS files with older
versions.
The identified vulnerabilities are as follows:
- CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation
of Privilege Vulnerability - CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode
Elevation of Privilege Vulnerability
The flaws were first brought to light by SafeBreach Labs researcher Alon Leviev, who presented his findings at
Black Hat USA 2024 and DEF CON 32.
The first vulnerability, CVE-2024-38202, originates from the Windows Backup function, enabling attackers with
basic user privileges to reintroduce previously mitigated vulnerabilities.
On the other hand, CVE-2024-21302 allows for privilege escalation in Windows systems supporting Virtualization
Based Security (VBS), offering attackers the opportunity to replace current system files with older
versions.
Leviev unveiled a tool called Windows Downdate which could potentially render fully patched Windows systems
vulnerable to past vulnerabilities, essentially turning fixed flaws into zero-days.
The tool manipulates the Windows Update process to execute undetectable downgrades on critical OS components,
bypassing security mechanisms and elevating privileges.
Moreover, Windows Downdate can circumvent verification measures, downgrading essential system components and
compromising security features.
These vulnerabilities expose potential risks of downgrading critical components, compromising security
features, and making systems susceptible to past security flaws.
As a result, even after applying all patches, a Windows system could remain exposed and hinder future updates,
posing a significant threat to overall system security.
“The downgrade attack I was able to achieve on the virtualization stack within Windows was possible due to a
design flaw that permitted less privileged virtual trust levels/rings to update components residing in more
privileged virtual trust levels/rings,” Leviev explained.
Stay updated on cybersecurity news by following us on Twitter ï‚™ and LinkedIn.