CVE-2024-21302
NT Kernel — secure kernel version downgrade bypass via unvalidated version state
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | State Hardening |
| Vulnerable Build | 10.0.22621.3958 (KB5040527) |
| Fixed Build | 10.0.22621.4169 (KB5043076) |
| Exploited ITW | No |
Affected Functions
VslCheckVersionSepValidateSecureKernelVersion
Root Cause
AutoPiff categorizes this as state_hardening with detection rules:
interlocked_refcount_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_21302_ntoskrnl {
meta:
description = "Detects vulnerable version of ntoskrnl.exe (pre-patch)"
cve = "CVE-2024-21302"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ntoskrnl.exe" wide ascii nocase
$version = "10.0.22621.3958" wide ascii
$vsl_check = "VslCheckVersion" ascii
$sep_validate = "SepValidateSecureKernelVersion" ascii
condition:
$mz at 0 and $driver_name and $version and ($vsl_check or $sep_validate)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Security-Auditing | Event 4688 — Process creation | Detects execution of Windows Update tools or custom binaries that initiate the downgrade flow by manipulating update catalogs or servicing stack components |
| Microsoft-Windows-Kernel-Audit | Secure kernel version validation events | Monitors calls to VslCheckVersion and SepValidateSecureKernelVersion for version state inconsistencies that indicate a downgrade bypass |
| Microsoft-Windows-Security-Auditing | Event 4672 — Special privileges assigned | Fires when the attacker acquires SeRestorePrivilege, SeTakeOwnershipPrivilege, or other privileges needed to replace protected system files |
| Microsoft-Windows-CodeIntegrity | Code integrity validation events | Detects loading of older, validly-signed but vulnerable kernel binaries that were rolled back by the downgrade attack |
| Microsoft-Windows-Kernel-Process | Secure kernel module load events | Identifies when the secure kernel or VBS components are loaded with version numbers that predate the current patch level |
Behavioral Indicators
- An attacker with admin privileges manipulates the Windows Update servicing stack or component store to replace patched system binaries (ntoskrnl.exe, securekernel.exe, skci.dll) with older, vulnerable but validly-signed versions, bypassing VBS version enforcement
- The
VslCheckVersionfunction accepts a downgraded version number because the version state was not properly validated or atomically compared, allowing the secure kernel to load a rolled-back binary - System files in
%SystemRoot%\System32are replaced with older versions that still carry valid Microsoft Authenticode signatures, passing code integrity checks despite being outdated - After reboot, the system runs with older kernel binaries that reintroduce previously patched vulnerabilities (such as CVE-2024-21338 or other kernel EoP bugs), effectively undoing months of security patches
- Windows Update reports the system as fully patched despite the kernel and secure kernel components having been silently downgraded, creating a false sense of security that the attacker can exploit for persistent access