Windows Downdate allows attackers to downgrade Windows systems to previous versions, negating security updates and reintroducing vulnerabilities.
A newly developed tool named Windows Downdate, crafted by Alon Leviev from SafeBreach, facilitates the downgrading of Windows 10, Windows 11, and Windows Server systems, posing significant security risks. This tool can revert devices to older software versions, reinstating previously fixed security flaws.
Earlier this month, I initially reported on the Downdate issue when it became publicly known. Dubbed as “Downdate,” this exploit takes advantage of the update mechanism that involves communications between user PCs and the Microsoft server, particularly focusing on update folders and action lists.
For further details, you can read more about it here.
The utility, accessible as both an open-source Python script and a Windows executable on GitHub, targets multiple Windows components including the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, reverting them to their original states. Leviev demonstrates using Windows Downdate to revert patches for specific vulnerabilities like CVE-2021-27090, CVE-2022-34709, and CVE-2023-21768.
Windows Downdate tool is now live! Utilize this tool to manage Windows Updates, allowing the downgrading and exposing of past vulnerabilities in DLLs, drivers, NT kernel, Secure Kernel, Hypervisor, IUM trustlets and more!https://t.co/59DRIvq6PZ
— Alon Leviev (@_0xDeku) August 25, 2024
Using the vulnerabilities CVE-2024-21302 and CVE-2024-38202, the tool remains undetectable by many endpoint detection and response (EDR) services. Although systems are downgraded, the Windows Update system still incorrectly shows that the system is current. This defect enables attackers to disable Windows virtualization-based security measures like Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even under UEFI locks.
Microsoft has responded to security concerns by introducing the update KB5041773 to address the vulnerability identified as CVE-2024-21302, though CVE-2024-38202 continues to be an issue without a patch. Microsoft recommends that users employ protective measures to guard against downgrade attacks, which include adjusting “Audit Object Access” settings, restricting update and restore activities, applying Access Control Lists for file access limitation, and keeping track of system rights to identify any misuse.
The security threat posed by Windows Downdate was showcased at both the Black Hat USA 2024 Briefings and DEFCON 32. To deploy this tool, users need to duplicate the related repository, set up the tool using Python, and execute it with an XML configuration file that determines which files to be downgraded.