Baton Drop

Vulnerability updated 5 months ago (2024-05-04T18:47:53.872Z)
Download STIX
Preview STIX
The Baton Drop vulnerability, designated CVE-2022-21894, is a flaw in the Windows boot loader that can be exploited to bypass Secure Boot - a security control that protects a Windows system during startup. This vulnerability was targeted by BlackLotus, a software threat that exploits two vulnerabilities in the UEFI Secure Boot function to gain control during the earliest phase of the software boot process. Despite Microsoft issuing a patch for this vulnerability in January 2022, the National Security Agency (NSA) warns that the threat is not fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot. BlackLotus has been utilized in attacks against Windows 10 and 11, exploiting the Baton Drop vulnerability to get around Secure Boot security and initiate a chain of malicious operations aimed at compromising system security. This is achieved by substituting fully patched boot loaders with vulnerable versions, thereby stripping the Secure Boot policy and preventing its enforcement. Even though the Baton Drop vulnerability was patched over a year ago, attackers with access to a compromised system can install a vulnerable bootloader and then exploit the vulnerability, gaining persistence and a more privileged level of control. Despite the patch issued by Microsoft, the certificate of the vulnerable version remains valid, making exploitation more difficult but not impossible. BlackLotus takes advantage of this, exploiting a second vulnerability, CVE-2023-24932, alongside Baton Drop to insert itself into the boot process. Administrators are warned not to consider the threat fully remediated, as bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints.
Description last updated: 2024-05-04T16:23:21.558Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2022-21894 is a possible alias for Baton Drop. CVE-2022-21894, also known as "Baton Drop," is a significant vulnerability in software design or implementation that affects Windows machines. It was identified and patched by Microsoft in January 2022. This flaw bypasses security features during the device's startup process, specifically the Secure
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Nsa
Windows
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blacklotus Malware is associated with Baton Drop. BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hacUnspecified
4