The researcher found a vulnerability within the Home windows Replace course of that allowed them to downgrade essential system elements, together with DLLs, drivers, and the NT kernel.
This enabled the attacker to bypass safety measures like Safe Boot and expose beforehand patched vulnerabilities.
There are various methods to disable VBS, together with Credential Guard and HVCI, even with UEFI locks, demonstrating the potential for vital safety dangers on totally patched Home windows programs.
The “ItsNotASecurityBoundary” DSE bypass exploits a False File Immutability (FFI) vulnerability.
An attacker can modify information marked as immutable by leveraging a double-read situation within the web page fault handler.
Defending Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
This flaw, particularly utilized to a safety catalog, permits the attacker to switch a verified catalog with a malicious one throughout a TOCTOU race situation.
This permits the system to simply accept an unsigned kernel driver with a legitimate authenticationode, bypassing safety measures and doubtlessly compromising the system.
The patch to be reverted is situated in ci.dll, and the unpatched model 10.0.22621.1376 is focused for downgrade. Whereas this strategy works on totally patched Home windows 11 23h2 machines, the presence of Virtualization-Primarily based Safety (VBS) poses a problem.
VBS can considerably hinder the downgrade course of, particularly when enabled with UEFI lock and the “Necessary” flag.
Understanding the completely different VBS enablement modes and their safety implications is essential for figuring out the feasibility of a profitable downgrade assault.
When disabled through registry modifications, it may be exploited by downgrading essential system information and leveraging vulnerabilities like “ItsNotASecurityBoundary”. Nevertheless, UEFI Lock provides an additional layer of safety by storing VBS configuration in UEFI firmware.
Whereas this prevents distant modification, native assaults can nonetheless bypass it by invalidating core VBS elements like SecureKernel.exe, which permits attackers to disable VBS and exploit vulnerabilities even with UEFI Lock enabled.
VBS might be secured with the UEFI lock and the “Necessary” flag. The lock prevents unauthorized modifications to VBS configuration, whereas the flag ensures system failure if VBS information are corrupted.
Each settings might be enabled through registry, however the lock have to be eliminated first if already configured. The “Necessary” flag, just lately documented, just isn’t routinely set with the lock and needs to be used with warning.
The downgrading of first-party elements, which incorporates the working system kernel, has been recognized as a brand new menace vector for Home windows programs, in keeping with latest analysis by SafeBreach.
By exploiting vulnerabilities in older, much less safe variations of those elements, attackers can bypass trendy safety measures and regain unauthorized entry to the system, often known as a downgrade assault and poses a major danger as it might probably revive beforehand patched vulnerabilities.
Endpoint safety options should have the ability to detect and stop assaults of this nature, even when they don’t contain the standard strategies of privilege escalation.
Run personal, Actual-time Malware Evaluation in each Home windows & Linux VMs. Get a 14-day free trial with ANY.RUN!