TID-216: Firmware Update Rollbacks Allowed

Threat Description

Firmware updates will oftentimes include fixes to security vulnerabilities, meaning that past versions will contain security threats to the devices. If a threat actor can initiate a firmware update on the device, they may be able to “upgrade” to a previous firmware version with known vulnerabilities. By completing an “upgrade” to a version with vulnerabilities, the threat actor could then potentially exploit that device to gain additional access or privileges.

Threat Maturity and Evidence

Observed Adversarial Behavior

• China APT Cracks Cisco Firmware in Attacks Against the US and Japan
  Threat group BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) has been performing firmware downgrade attacks. Once the firmware is downgraded, BlackTech can leverage older vulnerabilities to “hot patch old firmware in memory” with custom firmware code. They then can achieve persistence and pivot from “smaller, international subsidiaries to headquarters of affected organizations.”

Proof of Concept

• PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5
  “[The flaws] can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.”

CWE

• CWE-1328: Security Version Number Mutable to Older Versions
  “Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.”

CVE

• Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash – CVE-2018-9099
  “…the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.”