Baton Drop

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
The Baton Drop vulnerability, designated CVE-2022-21894, is a flaw in the Windows boot loader that can be exploited to bypass Secure Boot - a security control that protects a Windows system during startup. This vulnerability was targeted by BlackLotus, a software threat that exploits two vulnerabilities in the UEFI Secure Boot function to gain control during the earliest phase of the software boot process. Despite Microsoft issuing a patch for this vulnerability in January 2022, the National Security Agency (NSA) warns that the threat is not fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot. BlackLotus has been utilized in attacks against Windows 10 and 11, exploiting the Baton Drop vulnerability to get around Secure Boot security and initiate a chain of malicious operations aimed at compromising system security. This is achieved by substituting fully patched boot loaders with vulnerable versions, thereby stripping the Secure Boot policy and preventing its enforcement. Even though the Baton Drop vulnerability was patched over a year ago, attackers with access to a compromised system can install a vulnerable bootloader and then exploit the vulnerability, gaining persistence and a more privileged level of control. Despite the patch issued by Microsoft, the certificate of the vulnerable version remains valid, making exploitation more difficult but not impossible. BlackLotus takes advantage of this, exploiting a second vulnerability, CVE-2023-24932, alongside Baton Drop to insert itself into the boot process. Administrators are warned not to consider the threat fully remediated, as bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2022-21894
4
CVE-2022-21894, also known as "Baton Drop," is a significant vulnerability in software design or implementation that affects Windows machines. It was identified and patched by Microsoft in January 2022. This flaw bypasses security features during the device's startup process, specifically the Secure
CVE-2023-24932
1
CVE-2023-24932 is a significant vulnerability identified in Microsoft's Secure Boot Security Feature. This flaw in software design or implementation allowed for a bypass of the Secure Boot function, presenting a considerable security risk. The vulnerability was exploited in the wild and became assoc
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Nsa
Windows
Malware
Loader
Linux
Bootkit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlacklotusUnspecified
4
BlackLotus is a malicious software (malware) that poses a significant threat to computer systems by exploiting vulnerabilities in the Unified Extensible Firmware Interface (UEFI) and Secure Boot processes. As of 2023, BlackLotus was confirmed to be an active UEFI bootkit, capable of bypassing securi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Baton Drop Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Microsoft’s bootkit patches offer ‘false sense of security’ against BlackLotus threat, NSA says  
DARKReading
a year ago
BlackLotus Secure Boot Bypass Malware Set to Ramp Up
BankInfoSecurity
a year ago
NSA Issues Remediation Guidance for BlackLotus Malware
CERT-EU
a year ago
NSA Releases Guide to Combat BlackLotus Malware
CERT-EU
a year ago
BlackLotus UEFI malware source code has leaked on GitHub
CERT-EU
a year ago
Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
CERT-EU
a year ago
To kill BlackLotus malware, patching is a good start, but...
CERT-EU
a year ago
Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CERT-EU
a year ago
NSA Releases Guide to Combat BlackLotus Malware | IT Security News
CERT-EU
a year ago
Март 2023 — mov ax,bx
CERT-EU
a year ago
NSA: BlackLotus BootKit Patching Won't Prevent Compromise
InfoSecurity-magazine
a year ago
NSA Releases Guide to Mitigate BlackLotus Bootkit Infections