TID-210: Device Vulnerabilities Unpatchable
Threat Description
Threat actors will frequently target device components, like firmware, that have already known vulnerabilities instead of expending the effort to discover new ones. If a device cannot update its firmware, especially upon the discovery of a vulnerability, threat actors may be able to target these vulnerabilities. This is because a vulnerability that is found once will be exploitable on all devices running that firmware in perpetuity. Threat actors’ ability to achieve their goals will depend on the nature of the unpatched vulnerability.
If identified threats cannot be mitigated due to the inability to disable or update vulnerable components, the device will remain vulnerable. This may also be the result of the device reaching its End-of-Service/Support date, where it is no longer being supported by the vendor.
Threat Maturity and Evidence
Known Exploitable Weakness
Regarding Unit 42 New Mirai Variant Targeting Network Security Devices
Some of the IoT devices targeted by the Mirai botnet could not be patched because the device had reached the vendor stated End of Service/Support date.
CWE
CWE-1277: Firmware Not Updateable
“The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.”
CWE-1329: Reliance on Component That is Not Updateable
“The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.”