Windows Downdate: Reopening Old Wounds in Modern Systems

A specialist from SafeBreach, Alon Leviev, has released a tool called Windows Downdate, which enables the reintroduction of old vulnerabilities on updated systems, including Windows 10, Windows 11, and Windows Server.

A downgrade attack allows malicious actors to revert targeted devices to earlier software versions, causing vulnerabilities to re-emerge, which can then be exploited to compromise the system.

Windows Downdate is available as an open-source Python program and as a ready-to-use executable for Windows. The tool facilitates the rollback of various Windows components, such as the Hyper-V hypervisor, system kernel, NTFS drivers, and others, to their base versions.

Leviev also demonstrated examples of using Windows Downdate to reverse patches for vulnerabilities CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as to bypass VBS protection, including Credential Guard and HVCI components, even when UEFI records are utilized. According to the researcher, this is the first instance of circumventing UEFI protection without physical access to the device.

At the Black Hat 2024 conference, Leviev disclosed that attacks utilizing Windows Downdate remain undetected by EDR solutions, and Windows Update continues to indicate that the system is up to date, despite being downgraded to an older version.

Although Microsoft has patched one of the downgrade vulnerabilities (CVE-2024-21302), the second vulnerability (CVE-2024-38202) remains unresolved. Until the update is released, Microsoft advises customers to implement protective measures.

The recommended measures include configuring object access auditing to monitor attempts to access files, restricting update and recovery operations, using access control lists to limit file access, and auditing privileges to detect exploitation attempts of this vulnerability.