TID-217: Remotely Initiated Updates Can Cause DoS

Threat Description

When firmware/software update process is initiated on a device, it may enter a different operational mode where it stops performing key functions, including networking, data collection, or control functions. Therefore a threat actor could remotely initiate the firmware/software update to cause a denial of service on the device.

Threat Maturity and Evidence

Observed Adversary Behavior
ATT&CK Technique: Activate Firmware Update Mode (T0800)
Procedure Example: Industroyer (S0604)
“The Industroyer SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission.”

CWE

CWE-400: Uncontrolled Resource Consumption
“The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.”

CVE

CRASHOVERRIDE - CVE-2015-5374
“Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.”
“The DoS condition places the victim SIPROTEC device in “firmware update” mode. The effect triggered is practical and useful in legitimate firmware update instances given the limited resources available to legacy SIPROTEC devices (especially for memory).”