At Black Hat 2024, SafeBreach researcher Anon Leviev demonstrated a tool that could silently undo security patches installed on computers running Windows 10, Windows 11, and Windows Server. Through such a downgrade attack, threat actors could reintroduce old security vulnerabilities. Several months later, Leviev has released this tool as an open-source Python-based program and a pre-compiled Windows executable.
Using the tool, dubbed Windows Downdate, it’s possible to circumvent parts of Windows Update to make custom downgrade packages. These then expose past security vulnerabilities and allow users to compromise those systems as if they’d never been patched in the first place.
Leviev’s tool exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities. Its use is undetectable because endpoint detection and response (EDR) solutions cannot block it. Furthermore, Windows Update continues to report that the targeted system is up-to-date, even though it’s actually been downgraded.
Along with the tool itself, Leviev provided several examples of its use. In these examples, users can downgrade the Hyper-V hypervisor to a two-year-old version. The examples also explain how to revert the Windows Kernel, the NTFS driver, and the Filter Manager driver to their original versions. Instructions also walk through downgrading other Windows components and previously applied security patches.
The security researcher also encouraged others to use the tool for "further research and to find additional vulnerabilities."
Do you have in mind any additional Windows components that may be vulnerable to downgrades? Use Windows Downdate for further research and to find additional vulnerabilities!August 25, 2024
Microsoft released a security update on August 7 to address the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw. However, there is not yet a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.
Until Microsoft releases a security update for CVE-2024-38202, the company says users should follow recommendations outlined in the security advisory released earlier this month to safeguard against Windows Downdate downgrade attacks.
These recommendations include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, utilizing Access Control Lists to limit file access, and doing regular audits to identify attempts to exploit the vulnerability.