Researchers demonstrate downgrade attacks on Windows updates that revert patched systems to vulnerable states, exposing past vulnerabilities and bypassing key security controls. The work centers on Windows Update, VBS/UEFI protections, and the creation of Windows Downdate to achieve undetectable, persistent downgrades with vendor mitigations still evolving.
#BlackLotus #WindowsDowndate #CredentialGuard #HyperV #UEFI #VBS #CVE-2022-34709 #CVE-2021-27090 #CVE-2022-21894 #CVE-2024-21302 #CVE-2024-38202
#BlackLotus #WindowsDowndate #CredentialGuard #HyperV #UEFI #VBS #CVE-2022-34709 #CVE-2021-27090 #CVE-2022-21894 #CVE-2024-21302 #CVE-2024-38202
Keypoints
- Downgrade attacks can revert fully patched systems to vulnerable versions, exposing previously fixed vulnerabilities.
- The research led to Windows Downdate, a tool that enables undetectable, invisible, persistent, and irreversible downgrades of critical OS components.
- Bypassing Windows virtualization-based security (VBS) and UEFI locks allows attackers to compromise high-level security features, including Credential Guard and the hypervisor.
- There are no current mitigations to prevent these downgrade attacks, revealing a significant security gap in Windows architecture.
- Responsible disclosure to Microsoft resulted in CVEs and a collaborative response toward mitigations and defensive measures.
MITRE Techniques
- [T1548.002] Abuse Elevation Control Mechanisms – Downgrade from Administrator to Trusted Installer; “Administrator-to-Trusted-Installer elevations are considered malicious and blocked by EDRs, meaning it contradicts my first downgrade principle of being fully undetected.”
- [T1542.003] Pre-OS Boot: UEFI – Bypass of VBS UEFI locks; “the OS loader booted normally, abandoning VBS if it failed to validate one of VBS’s files. This process allowed me to disable VBS, discovering what I believe to be the first bypass of VBS’s UEFI lock!”
- [T1562.001] Impair Defenses – Disable security features (Credential Guard, HVCI, Defender) via downgrade flow; “reverting the PPLFault patch to allow PPL bypass. Second, I disabled Credential Guard, bypassing the UEFI locks by invalidating the Secure Kernel. Finally, I made Windows Defender non-functional by invalidating MsMpEng.”
- [T1003.001] Credential Dumping – Credential extraction from isolated user mode (Credential Guard) using LsaIso.exe; “I targeted the downgrade with CVE-2022-34709… which is a fixed elevation of privilege in Credential Guard. … downgrading the vulnerable module using the Windows Update takeover worked on a fully patched machine!”
- [T1112] Modify Registry – Action list control via PoqexecCmdline; “the key named PoqexecCmdline… holds the executable that parses the list and the list path. This key is not Trusted Installer enforced!”
- [T1068] Exploitation for Privilege Escalation – Use of CVEs to escalate privileges to VTL1 and VTL0 to VTL1; “CVE-2022-34709… fixed elevation of privilege in Credential Guard” and similar references for Secure Kernel and Hyper-V.
Indicators of Compromise
- [File] Downgrade targets – AFD.sys, LsaIso.exe – kernel driver downgraded and Credential Guard isolation process affected
- [File] Hypervisor components – Hvix64.exe, Hvax64.exe – Hyper-V hypervisor and loader downgraded
- [File] Vulnerable modules – KerbClientShared, SecureKernel.exe, CI.dll, SKCI.dll – downgraded to older vulnerable versions
- [File] Action/control files – Pending.xml – action list used to perform update actions
- [File] Update tooling/executables – poqexec.exe and PoqexecCmdline – update flow parsing and command handling
- [Registry] Key/values – RegistryMachineKey, PoqexecCmdline – registry-based control points manipulated during the attack
- [Video/demo] – AFD Downgrade kernel code execution, Credential Guard/PPL/UEFI lock bypass demos
Read more: https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates