SCADA IDS Signatures (SIS)

CRITIFENCE® SCADA IDS Signatures Database (SIS)

Flash Update Attempt

Date Title Author SVE-ID
2016-03-03Flash Update AttemptRockwell AutomationN/A
Description
This rule was developed by Rockwell Automation in response to vulnerabilities identified in Project Basecamp. Attack: Flash Update Impact: Initialize the device to update the firmware. // CIP - Unconnected send // Service: 0x4b ( NV_UPDATE –vendor specific name extracted from firmware ) // Class: 0xA1 (Non-Volatile Object – vendor specific name extracted from firmware) // After issuing this service we would load our own firmware via the service code 0x4d (nv_transfer) unsigned char packetFlashUp[]= "\x00\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\xb2\x00\x16\x00" "\x4b\x02\x20\xa1\x24\x01\x05\x99\x07\x00\x4f\x02\x20\x37\x24\xc8" "\x00\x00\x01\x00\x01\x00";

Signature

						
							
								
alert tcp any any -> $ENIP_SERVER 44818 (msg:"ROCKWELL Automation ControlLogix EtherNET/IP Initialize the device to update the firmware (FlashUp)";
 flow:to_server;
 content:"|6f 00|";
 offset:0;
 depth:2;
 content:"|00 00 00 00|";
 distance:22;
 within:4;
 byte_extract:2,2,count,relative,multiplier 4,little;
 content:"|b2 00|";
 distance:0;
 within:count;
 content:"|4b|";
 distance:2;
 within:1;
 content:"|20 a1|";
 distance:1;
 within:2;
 classtype:attempted-admin;
 reference:osvdb,78492;
 reference:secunia,47737;
 sid:1111691;
 rev:1;
)