October 28, 2024 at 01:42AM
A new attack method can bypass Microsoft’s Driver Signature Enforcement on up-to-date Windows systems, enabling the loading of unsigned drivers and potential OS downgrades. This technique allows attackers to deploy rootkits, compromising system security. Enabling Virtualization-Based Security with UEFI lock and Mandatory flag can mitigate these vulnerabilities.
### Meeting Takeaways
1. **New Attack Technique**: A technique has been identified that can circumvent Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, enabling OS downgrade attacks.
2. **Impact of Bypass**: This bypass allows the loading of unsigned kernel drivers, facilitating the deployment of custom rootkits that can neutralize security controls and maintain stealth in network activities.
3. **Historical Context**: The findings build on prior vulnerabilities in the Windows update process (CVE-2024-21302 and CVE-2024-38202), which could allow attackers to revert Windows to versions with known security flaws. Microsoft patched these issues on August 13 and October 8, 2024.
4. **Tool Development**: A tool named “Windows Downdate” has been created to hijack the Windows Update process and enable undetectable downgrades of critical OS components.
5. **Exploitation Mechanism**: The new attack exploits a race condition to replace verified security catalog files, allowing malicious kernel drivers to be loaded without proper checks.
6. **Security Mitigations**: Virtualization-Based Security (VBS) can protect against this attack. When VBS is enabled with a Unified Extensible Firmware Interface (UEFI) lock and the “Mandatory” flag set, it significantly reduces the chances of a successful exploit.
7. **Exploitation Steps**:
– Disable VBS via the Windows Registry or invalidate SecureKernel.exe
– Downgrade the ci.dll library to an unpatched version
– Restart the system
– Use the attack method to gain kernel-level code execution
8. **Failure Condition**: The attack fails when VBS is running with a UEFI lock and Mandatory flag, which prevents booting if security module failures occur.
9. **Preventive Recommendations**: Security solutions should implement measures to detect and prevent downgrade actions, even for non-critical components.
10. **Final Note**: It is crucial for organizations to ensure that VBS is enabled with appropriate security features to protect against potential exploits related to DSE bypass.
### Action Items
– Review current VBS configurations and ensure they comply with security best practices.
– Monitor for any unauthorized downgrade attempts of critical system components.