TLP-AMBER-CLEAR

Summary: -

On 7-Aug-2024, Microsoft had issued an advisory regarding two unpatched zero-day vulnerabilities providing mitigation advice until a fix is released.

The vulnerabilities have identified Windows Secure Kernel Mode (CVE-2024–21302) and Windows Update Stack (CVE-2024–38202) vulnerabilities could allow attackers to carry out Elevation of Privilege attacks. If exploited, the vulnerabilities could lead to a Windows Update downgarde attack that can “unpatch” multiple versions of fully updated Windows 10, Windows 11, and Windows Server system.

A Windows Upgrade downgrade attack is a type of cyberattack where malicious actors can manipulate the Windows Update process to revert a system to an older, vulnerable version. This effectively “unpached” the system, reintroducing previously fixed vulnerabilities.

On 16-Aug-2024, A proof-of-concept (PoC) exploit and a new tool named “Windows Downdate.” has been publicly available.

What is the threat?

The Windows Downdate tool exploits the critical zero-day vulnerabilities to take over the Windows Update process, this could allow attackers to craft custom downgrades. These downgrades roll back system components to older, vulnerable versions, reintroducing past security vulnerabilities that had been patched.

The proof-of-concept exploit demonstrates the threat actors could use CVE-2024–38202 and CVE-2024–21302 to “unpatch” fully updated Windows 10, Windows 11, and Windows Server systems. If exploited these zero-days, attackers can downgrade critical OS components such as dynamic link libraries (DLLs), the NT Kernel, and security features like Credential Guard’s Secure Kernel and Hyper-V’s hypervisor. This process leaves systems vulnerable to privilege escalation attacks and other severe exploits, while the operating system reports that it is fully updated.

What are the vulnerabilities?

· CVE-2024–21302 — CVSS 6.7 -MEDIUM -Windows Secure Kernel Mode Elevation of Privilege Vulnerability — An elevation of privilege vulnerability exists in Windows based system supporting Virtualisation Based Security (VBS) including a subset of Azure Machine SKUS. This allows an attacker with administrator privileges to replace current versions of Windows system files with outdated versions to reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.Weakness: CWE-284: Improper Access Control

· CVE-2024–38202 — CVSS 7.3 -HIGH — Windows Update Stack Elevation of Privilege Vulnerability — An elevation of privilege vulnerability exists in Windows Update, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). This vulnerability requires additional interaction by a privileged user for successful exploitation.Weakness:CWE-284: Improper Access Control

What is vulnerable?

· CVE-2024–21302 — Windows Secure Kernel Mode Elevation of Privilege Vulnerability for a list of impacted products.

· CVE-2024–38202 — Windows Update Stack Elevation of Privilege Vulnerability for a list of impacted products.

Mitigation

· Review Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance
· Identify the vulnerable products versions within your environment

If identified upgrade the opt-in mitigation available for CVE-2024–21302

If immediate opt-in mitigation is not possible

To reduce the risk of exploitation until the security update is available:

Configure “Audit Object Access” settings to monitor attempts to access files
Audit File System — Windows 10 | Microsoft Learn
Apply a basic audit policy on a file or folder — Windows 10 | Microsoft Learn

CVE-2024–21302

Auditing sensitive privileges used to identify access

CVE-2024–38202

Audit: Audit the use of Backup and Restore privilege (Windows 10) — Windows 10 | Microsoft Learn

Audit: Audit the use of Backup and Restore privilege (Windows 10) — Windows 10 | Microsoft Learn

Implement an Access Control List or Discretionary Access Control Lists

Auditing sensitive privileges used to identify access, modification, or replacement of Update related files:

Audit Sensitive Privilege Use — Windows 10 | Microsoft Learn

For more details about downgrade attack -https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/

For more details about downgrade attack -https://www.blackhat.com/us-24/briefings/schedule/index.html#windows-downdate-downgrade-attacks-using-windows-updates-38963

Cyber Security Alert - Windows Elevation of Privilege Vulnerability Chain-PoC Exploit Released

TLP-AMBER-CLEAR

Post a Comment

Threat Research Advisory - When Your Company Hits the Darknet: Navigating the Surge in High-Validity Combolist-as-a-Service Threats

Cyber Security Alert - Cisco Addresses Multiple Vulnerabilities in Cisco Nexus Software

Cyber Security Alert - SonicWall Updates Advisory with Urgent Warning Regarding CVE-2024-40766: Potential Exploitation in the Wild

Cyber Security Alert - Windows Elevation of Privilege Vulnerability Chain-PoC Exploit Released

Incident Response Methodologies: SOPs (Standard Operating Procedures) / Playbooks / Runbooks

Cyber Security Alert-Ivanti Security Advisory EPM September 2024 Addresses Multiple Vulnerabilities in Endpoint Manager

Selecting the Right Framework for Threat Intelligence Teams

How to Eliminate the Threat Posed by Remote Access

Cybersecurity Concepts | From Threats to Breaches

Understanding the STRIDE Threat Modeling Framework

Contact Form