October 28, 2024 at 05:51PM
Windows 11 systems, even when fully patched, can be compromised through a technique demonstrated by SafeBreach’s Alon Leviev. His Windows Downdate tool allows attackers with admin access to downgrade critical OS components back to vulnerable versions, exposing systems to potential rootkit installation and exploitation. Microsoft is developing mitigations to address this.
### Meeting Takeaways
1. **Windows 11 Vulnerability Overview**:
– Fully patched Windows 11 systems are vulnerable to attacks allowing the installation of custom rootkits that bypass endpoint security.
2. **Demonstration of Windows OS Downgrade Attack**:
– Alon Leviev, a SafeBreach researcher, showcased an exploit at Black Hat USA 2024 using a tool called Windows Downdate.
– The attack can downgrade Windows Update processes, reverting components to previously vulnerable states, even with virtualization-based security (VBS) enabled.
3. **Security Boundary Issues**:
– Microsoft does not view administration access to kernel code execution as crossing a security boundary, leading to unaddressed vulnerabilities.
– Leviev has discovered and reported two vulnerabilities (CVE-2024-21302 and CVE-2024-38202), which Microsoft has patched, but the downgrading vulnerability remains unaddressed.
4. **New Downgrade Attack Released**:
– Leviev released new attack details on October 26, exploiting a driver signature enforcement (DSE) bypass related to CVE-2024-21302.
– The new attack class, termed False File Immutability (FFI), has been identified where incorrect assumptions are made about file immutability.
5. **Mitigation Efforts from Microsoft**:
– A Microsoft representative stated that the company is actively working on mitigations to protect against these downgrades, though specifics and timelines were not provided.
– A security update will revoke outdated VBS system files to reduce threats, with extensive testing required given the complexity involved.
6. **Implications for Organizations**:
– The necessity for organizations to tighten security measures, especially with the proper configuration of VBS and UEFI locks, to prevent these downgrade attacks.
7. **Ongoing Monitoring**:
– Microsoft will continue to monitor and provide updates regarding CVE-2024-21302 and related mitigations for impacted systems.
### Action Items:
– Monitor Microsoft announcements for updates and patches regarding the downgrading vulnerabilities.
– Assess current system configurations, ensuring VBS is enabled with UEFI lock and ‘Mandatory’ flag to enhance security.
– Consider the implications of attack methods on endpoint security and take proactive measures to safeguard against potential exploits.