A brand new assault method might be used to bypass Microsoft’s Driver Signature Enforcement (DSE) on absolutely patched Home windows programs, resulting in working system (OS) downgrade assaults.
“This bypass permits loading unsigned kernel drivers, enabling attackers to deploy customized rootkits that may neutralize safety controls, conceal processes and community exercise, keep stealth, and way more,” SafeBreach researcher Alon Leviev stated in a report shared with The Hacker Information.
The most recent findings construct on an earlier evaluation that uncovered two privilege escalation flaws within the Home windows replace course of (CVE-2024-21302 and CVE-2024-38202) that might be weaponized to rollback an up-to-date Home windows software program to an older model containing unpatched safety vulnerabilities.
The exploit materialized within the type of a instrument dubbed Home windows Downdate, which, per Leviev, might be used to hijack the Home windows Replace course of to craft absolutely undetectable, persistent, and irreversible downgrades on essential OS elements.
This may have extreme ramifications, because it provides attackers a greater different to Convey Your Personal Weak Driver (BYOVD) assaults, allowing them to downgrade first-party modules, together with the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as a part of Patch Tuesday updates.
The most recent method devised by Leviev leverages the downgrade instrument to downgrade the “ItsNotASecurityBoundary” DSE bypass patch on a totally up to date Home windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Safety Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a brand new bug class codenamed False File Immutability. Microsoft remediated it earlier this Could.
In a nutshell, it exploits a race situation to exchange a verified safety catalog file with a malicious model containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the driving force.
Microsoft’s code integrity mechanism, which is used to authenticate a file utilizing the kernel mode library ci.dll, then parses the rogue safety catalog to validate the signature of the driving force and cargo it, successfully granting the attacker the power to execute arbitrary code within the kernel.
The DSE bypass is achieved by making use of the downgrade instrument to exchange the “ci.dll” library with an older model (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having stated, there’s a safety barrier that may forestall such a bypass from being profitable. If Virtualization-Based mostly Safety (VBS) is operating on the focused host, the catalog scanning is carried out by the Safe Kernel Code Integrity DLL (skci.dll), versus ci.dll.
Nonetheless, It is price noting that the default configuration is VBS with out a Unified Extensible Firmware Interface (UEFI) Lock. In consequence, an attacker might flip it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in circumstances the place UEFI lock is enabled, the attacker might disable VBS by changing one of many core recordsdata with an invalid counterpart. In the end, the exploitation steps an attacker must comply with are beneath –
- Turning off VBS within the Home windows Registry, or invalidating SecureKernel.exe
- Downgrading ci.dll to the unpatched model
- Restarting the machine
- Exploiting ItsNotASecurityBoundary DSE bypass to realize kernel-level code execution
The one occasion the place it fails is when VBS is turned on with a UEFI lock and a “Obligatory” flag, the final of which causes boot failure when VBS recordsdata are corrupted. The Obligatory mode is enabled manually via a registry change.
“The Obligatory setting prevents the OS loader from persevering with as well in case the Hypervisor, Safe Kernel or considered one of their dependent modules fails to load,” Microsoft notes in its documentation. “Particular care needs to be used earlier than enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse as well.”
Thus, with the intention to absolutely mitigate the assault, it is important that VBS is enabled with UEFI lock and the Obligatory flag set. In every other mode, it makes it doable for an adversary to show the safety characteristic off, carry out the DDL downgrade, and obtain a DSE bypass.
“The principle takeaway […] is that safety options ought to attempt to detect and forestall downgrade procedures even for elements that don’t cross outlined safety boundaries,” Leviev instructed The Hacker Information.
