PoC Exploit for Windows 0-Day Flaws CVE-2024-38202 and CVE-2024-21302 Released
Researchers have published the technical details and proof-of-concept (PoC) exploit code for two critical zero-day vulnerabilities in Windows, tracked as CVE-2024-38202 and CVE-2024-21302. These vulnerabilities, revealed at Black Hat 2024 by SafeBreach security researcher Alon Leviev, can be exploited to undermine the integrity of Windows Update and reintroduce thousands of previously fixed vulnerabilities, effectively turning patched systems into zero-day targets.
Researchers released a new tool named “Windows Downdate.” This tool exploits the aforementioned vulnerabilities to take over the Windows Update process, allowing attackers to craft custom downgrades. These downgrades roll back system components to older, vulnerable versions, reintroducing past security flaws that had been patched, making the term “fully patched” meaningless for any Windows machine.
The published proof-of-concept exploit demonstrates how threat actors can use CVE-2024-38202 and CVE-2024-21302 to unpatch fully updated Windows 10, Windows 11, and Windows Server systems. By exploiting these zero-days, attackers can downgrade critical OS components such as dynamic link libraries (DLLs), the NT Kernel, and security features like Credential Guard’s Secure Kernel and Hyper-V’s hypervisor. This process leaves systems vulnerable to privilege escalation attacks and other severe exploits, all while the OS reports that it is fully updated.
One of the most alarming aspects of this downgrade attack is its stealth. Once the system is downgraded, Windows Update continues to indicate that the system is fully patched. Endpoint detection and response (EDR) solutions are unable to detect these downgrades, making this attack vector particularly dangerous. Leviev’s research shows that this method of attack is invisible to standard recovery and scanning tools, leaving administrators blind to the vulnerabilities that have been reintroduced.
In response to this critical discovery, Microsoft has issued advisories on both zero-days, offering mitigation advice. The company’s August 2024 Patch Tuesday included patches for the vulnerabilities used by “Windows Downdate” to execute these downgrade attacks.
- CVE-2024-38202 (CVSS 7.3): This vulnerability involves a Windows Backup privilege escalation flaw that allows attackers with basic user privileges to unpatch previously mitigated security bugs or bypass Virtualization Based Security (VBS) features.
- CVE-2024-21302 (CVSS 6.7): This vulnerability relates to the Windows Secure Kernel Mode Elevation of Privilege, enabling attackers with admin privileges to replace Windows system files with outdated and vulnerable versions.
Microsoft has stated that, as of now, there are no known attempts to exploit these vulnerabilities in the wild. However, with the proof-of-concept code now publicly available, the risk of exploitation has increased significantly. The company is urging all users and administrators to follow the recommended mitigations in the advisories to reduce the risk of exploitation until a full security update is available.
“Windows Downdate” has been made open-source and is available on GitHub. While this move is intended to aid security professionals in understanding and mitigating the vulnerabilities, it also presents a significant risk as threat actors can now easily access and potentially weaponize the tool.
While the publication of PoC exploits can drive rapid responses and patch development, it also opens the door to immediate exploitation by malicious actors.
Organizations are advised to immediately implement the mitigations recommended by Microsoft and to monitor systems closely for any signs of unusual activity.
