TID-404: Remotely Triggerable Deadlock/DoS

Threat Description

Some devices will have operating modes that put the device in an inoperable state. Devices may also have network parsing or protocol vulnerabilities that can put the device in a deadlocked or otherwise unresponsive state. A threat actor may therefore be able to send a message to a device that causes it to enter one of these deadlocked or unresponsive states, rendering the device non-functional or leaving it in an otherwise degraded state. Additionally, if the device does not have a mechanism to reset or recover from this state, it may remain unavailable until it is reset or rebooted, which may require physical operator presence.

Threat Maturity and Evidence

Observed Adversary Technique
ATT&CK Technique: Denial of Service (T0814)
Procedure Example: Industroyer (S0604)
“The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E.”

Procedure Example: Backdoor.Oldrea (S0093)
“The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.”

CWE

CWE-833: Deadlock
“The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.”

CVE

CVE-2015-5374
“Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.”