All software program purposes, together with working methods, comprise vulnerabilities, so common updates to patch them are a cornerstone of cybersecurity. The researchers who invented the Home windows Downdate assault focused this very replace mechanism, aiming to stealthily roll again a totally up to date Home windows system to an older model containing weak information and companies. This leaves the system uncovered to well-known exploits and deep-level compromise — together with the hypervisor and safe kernel. Worse, commonplace replace and system-health checks will report that the whole lot’s updated and positive.
Assault mechanism
The researchers really discovered two separate flaws with barely completely different working mechanisms. One vulnerability — assigned the CVE-2024-21302 ID and dubbed Downdate — is predicated on a flaw within the replace set up course of: the downloaded replace elements are managed, protected against modification, and digitally signed, however at one of many intermediate set up phases (between reboots), the replace process creates after which makes use of a file containing an inventory of deliberate actions (pending.xml). If attackers are capable of create their very own model of that file after which add details about it to the registry, Home windows Modules Installer service (TrustedInstaller) will execute the directions in it upon reboot.
In precise truth, the contents of pending.xml do get verified, but it surely’s completed throughout earlier set up phases — TrustedInstaller doesn’t re-verify it. In fact, it’s inconceivable to put in writing no matter you wish to the file and set up arbitrary information this manner — since they have to be signed by Microsoft, however changing system information with older information developed by Microsoft is sort of possible. This may re-expose the system to long-patched vulnerabilities — together with important ones. Including the mandatory keys associated to pending.xml to the registry requires administrator privileges, after which a system reboot have to be initiated. Nonetheless, these are the one important limitations. This assault doesn’t require elevated privileges (for which Home windows dims the show and prompts an admin for added permission), and most safety instruments received’t flag the actions carried out through the assault as suspicious.
The second vulnerability — CVE-2024-38202 — permits an actor to govern the Home windows.previous folder, the place the replace system shops the earlier Home windows set up. Though modifying information on this folder requires particular privileges, an attacker with common user-rights can rename the folder, create a brand new Home windows.previous from scratch, and place outdated, weak variations of Home windows system information in it. Initiating a system restore then rolls Home windows again to the weak set up. Sure privileges are required for system restoration, however these aren’t administrator privileges and are typically granted to common customers.
VBS bypass and password theft
Since 2015, the Home windows structure has been redesigned to forestall a Home windows kernel compromise resulting in that of the entire system. This includes a spread of measures collectively generally known as virtualization-based safety (VBS). Amongst different issues, the system hypervisor is used to isolate OS elements and create a safe kernel for performing essentially the most delicate operations, storing passwords, and so forth.
To stop attackers from disabling VBS, Home windows will be configured to make this inconceivable — even with administrator rights. The one strategy to disable this safety is by rebooting the pc in a particular mode and getting into a keyboard command. This function is known as a Unified Extensible Firmware Interface (UEFI) lock. The Home windows Downdate assault bypasses this restriction as properly by changing information with modified, outdated, and weak variations. VBS doesn’t test system information for up-to-dateness, to allow them to be substituted with older, weak variations with no detectable indicators or error messages. That’s, VBS isn’t disabled technically, however the function not performs its safety operate.
This assault permits for the alternative of secure-kernel and hypervisor information with two-year-old variations containing a number of vulnerabilities whose exploitation results in privilege escalation. Consequently, attackers can acquire most system privileges, full entry to the hypervisor and memory-protection processes, and the flexibility to simply learn credentials, hashed passwords, and likewise NTLM hashes from reminiscence (which can be utilized for increasing the community assault).
Safety in opposition to Downdate
Microsoft was knowledgeable of the Downdate vulnerabilities in February 2024, but it surely wasn’t till August that particulars have been launched as a part of its month-to-month Patch Tuesday rollout. Fixing the bugs proved to be a tricky activity fraught with unintended effects — together with the crashing of some Home windows methods. Due to this fact, as an alternative of dashing to publish one other patch, Microsoft for now has merely issued some tricks to mitigate the dangers. These embody the next:
- Auditing customers licensed to carry out system-restore and replace operations, minimizing the variety of such customers, and revoking permissions the place attainable.
- Implementing entry management lists (ACL/DACL) to limit entry to, and modification of replace information.
- Configuring occasion monitoring for situations the place elevated privileges are used to change or change replace information — this could possibly be an indicator of vulnerability exploitation.
- Equally, monitoring the modification and alternative of information related to the VBS subsystem and system-file backups.
Monitoring these occasions utilizing SIEM and EDR is comparatively simple. Nonetheless, false positives will be anticipated, so distinguishing authentic sysadmin exercise from that of hackers in the end falls to the safety staff.
All the above applies not solely to bodily, but in addition digital Home windows machines in cloud environments. For digital machines in Azure, we additionally advise monitoring uncommon makes an attempt to log in with administrator credentials. Allow MFA and alter the credentials in case such an try is detected.
One different, extra drastic tip: revoke administrator privileges for workers who don’t want them, and mandate that real directors (i) solely carry out administrative actions below their respective account, and (ii) use a separate account for different work.
Dangerous fixes
For these on the lookout for extra safety, Microsoft gives the replace KB5042562, which mitigates the severity of CVE-2024-21302. With this put in, outdated variations of VBS system information are added to the revoked record and may not be run on an up to date laptop. This coverage (SkuSiPolicy.p7b) is utilized on the UEFI degree, so when utilizing it you want to replace not solely the OS but in addition backup detachable boot media. It’s additionally vital to remember that rollback to older installations of Home windows would not be attainable. What’s extra, the replace forcibly prompts the Consumer Mode Code Integrity (UMCI) function, which itself could cause compatibility and efficiency points.
Usually, directors are suggested to rigorously weigh the dangers, and completely examine the process and its potential unintended effects. Going ahead, Microsoft guarantees to launch patches and extra safety measures for all related variations of Home windows — as much as Home windows 10, model 1507, and Home windows Server 2016.
