Researchers Demonstrate Windows Downgrade Attacks At Black Hat 2024

Security researchers have demonstrated a new threat for Microsoft Windows users that may make every system vulnerable. Named ‘Downgrade attacks,’ the attacks exploit two zero-day vulnerabilities to downgrade a fully patched Windows device to its vulnerable state.

Windows Downgrade Attacks May ‘Unpatch’ Updated Systems

Researchers from SafeBreach have shared a detailed blog post highlighting Downgrade attacks against Windows systems.

As explained, downgrade attacks can ‘unpatch’ a target system, reverting its status to a previous system version. Given that every recent system update brings security fixes, reverting a system to an older version revives all the patched vulnerabilities, making the system vulnerable to cyber threats.

Such attacks became possible due to the following two Windows zero-day flaws.

  • CVE-2024-38202 (CVSS 7.3; high severity): A privilege escalation vulnerability affecting Windows Backup that allows VBS bypass and unpatching target systems.
  • CVE-2024-21302 (CVSS 6.7; medium severity): A privilege escalation flaw affecting Windows systems supporting Virtualization Based Security (VBS). Exploiting the flaw allows reintroducing previously patched vulnerabilities, evading VBS features, and stealing data.

The researchers devised a specific Downdate tool that bypasses security features like Trusted Installer enforcement and integrity verification and targets critical operating system components, such as DLLs, drivers, and NT kernel, to downgrade them. Such precise downgrading of components reintroduces previously patched vulnerabilities without letting the OS detect any issues. Hence, to the end user, the system would generate no alarms regarding potential vulnerabilities.

In their study, the researchers could easily compromise various OS components, ultimately compromising the VBS UEFI locks without physically accessing the target system. Doing so allowed the researchers to fully downgrade the target system to a former unpatched vulnerable state.

The researchers have shared a demo video on the attack alongside other technical details in their post. They presented their findings at the recently held Black Hat 2024.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients