A newly released open-source tool called Windows Downdate can be used to downgrade up-to-date Windows 10, Windows 11, and Windows Server systems, reintroducing old vulnerabilities that were previously patched. The tool, developed by SafeBreach security researcher Alon Leviev, allows users to revert system components to older versions, exposing previously fixed vulnerabilities.
The tool is available as a Python-based program or pre-compiled Windows executable and provides examples of downgrading specific components such as the Hyper-V hypervisor, Windows Kernel, and NTFS driver. Using this tool would allow attackers to bypass endpoint detection and response (EDR) solutions and keep the targeted system from reporting that it’s up-to-date.
Leviev demonstrated the capabilities of the Windows Downdate tool at Black Hat 2024, showcasing how it can disable virtualization-based security (VBS) features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI). This allows attackers to make fully patched systems susceptible to thousands of past vulnerabilities, making the term “fully patched” meaningless.
Microsoft has released a security update (KB5041773) to fix one of the vulnerabilities exploited by the Windows Downdate tool, but a patch for the other vulnerability, CVE-2024-38202, is still pending. In the meantime, customers are advised to implement mitigation measures such as configuring “Audit Object Access” settings, restricting updates and restore operations, using Access Control Lists, and auditing privileges.
The release of this tool raises concerns about its potential use in the wild by attackers and highlights the importance of implementing robust security measures to protect against these types of attacks.
Source: https://www.bleepingcomputer.com/news/microsoft/windows-downdate-tool-lets-you-unpatch-windows-systems/