Windows Kernel Downgrade Attacks: Bypassing Security on Fully Patched Systems to Deploy Rootkits
A newly discovered method to downgrade Windows kernel components is allowing attackers to bypass critical security features like Driver Signature Enforcement (DSE), enabling rootkit deployments even on fully patched systems. This vulnerability, reported by SafeBreach security researcher Alon Leviev, enables attackers with administrative access to take control of Windows Update and introduce outdated, vulnerable components without changing the system’s “fully patched” status.
Understanding the Kernel Downgrade Vulnerability
Leviev’s research highlights a critical flaw in how Windows Update handles component integrity. Attackers can use this flaw to replace critical Windows components with outdated, vulnerable versions, reintroducing previously patched exploits. Leviev calls this approach "ItsNotASecurityBoundary" due to Microsoft’s response that this method does not cross a defined security boundary if it requires administrator access.
Exploiting Driver Signature Enforcement (DSE)
Leviev demonstrated at BlackHat and DEFCON how this downgrade method could bypass Windows’ DSE. By downgrading ‘ci.dll,’ a component responsible for enforcing driver signature checks, attackers can load unsigned kernel drivers, allowing rootkits to operate undetected. This DSE bypass enables the installation of malicious software that can evade standard security measures by hiding files and processes, effectively allowing attackers to take full control of the target system.
Vulnerabilities in Virtualization-Based Security (VBS)
Virtualization-Based Security (VBS) is intended to enhance kernel protection by isolating essential resources, yet Leviev’s research shows it can be bypassed. By exploiting registry settings, attackers can downgrade or replace critical files within VBS, such as SecureKernel.exe, with vulnerable versions. This creates further opportunities for code execution and reduces the effectiveness of VBS in defending against kernel-level attacks.
Microsoft's Response and Future Mitigations
While Leviev reported the Windows Update takeover flaw, Microsoft initially dismissed it, claiming the attack doesn’t cross a defined security boundary. However, Microsoft has since announced plans to develop mitigations to address these vulnerabilities. Until a comprehensive fix is released, Leviev advises organizations to actively monitor for downgrade attacks, as they pose a significant threat to system integrity.
No comments:
Post a Comment