Baton Drop

Vulnerability updated 23 days ago (2024-11-29T14:21:44.434Z)

Download STIX

Preview STIX

The Baton Drop vulnerability, designated CVE-2022-21894, is a flaw in the Windows boot loader that can be exploited to bypass Secure Boot - a security control that protects a Windows system during startup. This vulnerability was targeted by BlackLotus, a software threat that exploits two vulnerabilities in the UEFI Secure Boot function to gain control during the earliest phase of the software boot process. Despite Microsoft issuing a patch for this vulnerability in January 2022, the National Security Agency (NSA) warns that the threat is not fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot. BlackLotus has been utilized in attacks against Windows 10 and 11, exploiting the Baton Drop vulnerability to get around Secure Boot security and initiate a chain of malicious operations aimed at compromising system security. This is achieved by substituting fully patched boot loaders with vulnerable versions, thereby stripping the Secure Boot policy and preventing its enforcement. Even though the Baton Drop vulnerability was patched over a year ago, attackers with access to a compromised system can install a vulnerable bootloader and then exploit the vulnerability, gaining persistence and a more privileged level of control. Despite the patch issued by Microsoft, the certificate of the vulnerable version remains valid, making exploitation more difficult but not impossible. BlackLotus takes advantage of this, exploiting a second vulnerability, CVE-2023-24932, alongside Baton Drop to insert itself into the boot process. Administrators are warned not to consider the threat fully remediated, as bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints.

Description last updated: 2024-05-04T16:23:21.558Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2022-21894 is a possible alias for Baton Drop. CVE-2022-21894, also known as "Baton Drop," is a significant vulnerability in software design or implementation that affects Windows machines. It was identified and patched by Microsoft in January 2022. This flaw bypasses security features during the device's startup process, specifically the Secure	4
CVE-2023-24932 is a possible alias for Baton Drop. CVE-2023-24932 is a significant vulnerability identified in Microsoft's Secure Boot Security Feature. This flaw in software design or implementation allowed for a bypass of the Secure Boot function, presenting a considerable security risk. The vulnerability was exploited in the wild and became assoc	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Exploits

Malware

Windows

Nsa

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Blacklotus Malware is associated with Baton Drop. BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hac	Unspecified	4

Source Document References

Information about the Baton Drop Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	12 days ago	'Bootkitty' First Bootloader to Take Aim at Linux
DARKReading	2 years ago	BlackLotus Secure Boot Bypass Malware Set to Ramp Up
CERT-EU	a year ago	Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CERT-EU	a year ago	BlackLotus UEFI malware source code has leaked on GitHub
InfoSecurity-magazine	a year ago	NSA Releases Guide to Mitigate BlackLotus Bootkit Infections
CERT-EU	2 years ago	Март 2023 — mov ax,bx
CERT-EU	2 years ago	Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
CERT-EU	a year ago	NSA: BlackLotus BootKit Patching Won't Prevent Compromise
CERT-EU	a year ago	NSA Releases Guide to Combat BlackLotus Malware \| IT Security News
CERT-EU	a year ago	NSA Releases Guide to Combat BlackLotus Malware
BankInfoSecurity	a year ago	NSA Issues Remediation Guidance for BlackLotus Malware
CERT-EU	a year ago	Microsoft’s bootkit patches offer ‘false sense of security’ against BlackLotus threat, NSA says
CERT-EU	a year ago	To kill BlackLotus malware, patching is a good start, but...