ECCouncil Updated 312-50v13 Exam Questions and Answers by rehmat

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

The best answer is BPDU Guard on edge ports. CEH network defense material explains that BPDU Guard is used on access or edge ports where end-user devices are expected, not switches. If a device connected to such a port begins sending Bridge Protocol Data Units, the switch treats that as an abnormal condition and can shut the port down or place it in an error-disabled state. This prevents unauthorized or misconfigured devices from participating in spanning-tree and influencing root bridge election or topology decisions. That matches the scenario, where a newly connected device introduced a more favorable bridge priority and triggered spanning-tree recalculations. Root Guard is also related to protecting spanning-tree hierarchy, but it is typically applied where you want to prevent a downstream switch from becoming root while still allowing BPDU participation under controlled conditions. CEH exam framing usually expects BPDU Guard when the threat originates from an end-host-facing access port in a conference room or office edge location. Because the goal is to stop unauthorized edge-connected devices from affecting spanning-tree at all, enabling BPDU Guard on edge ports is the most appropriate control.

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.

The correct answer is A. Firmware update attack because the scenario describes an attacker delivering an unauthenticated, non-cryptographically verified update/package to a controller and successfully altering its operational logic. In IoT/OT environments, controllers (PLCs, RTUs, PACs, and embedded industrial devices) often support updating firmware or logic over the network for maintenance. If the device does not verify the source, integrity, and authenticity of update packages—typically through signed firmware, certificates, and secure update channels—an attacker can replace legitimate code with a maliciously modified version.

Sameer’s demonstration maps directly to a firmware/logic update compromise: he uploads “altered instructions” and changes how the controller processes commands during operations. This is exactly the type of risk highlighted in OT security: unauthorized modification of controller logic can cause unsafe states, disrupt production, damage equipment, or create stealthy manipulation that is difficult to detect. The explicit mention of “without checking the origin or cryptographic validity” indicates missing controls like digital signatures, hash verification, and trusted update mechanisms, which are central to firmware update security.

Why the other options are less accurate: Forged malicious device usually refers to introducing a rogue or cloned device into the environment to impersonate legitimate equipment. Remote access using backdoor implies an existing hidden access mechanism rather than abuse of the update mechanism itself. Exploit kits are typically collections of exploits used to compromise systems, commonly discussed more in endpoint/web contexts; they don’t specifically describe the act of pushing an altered firmware/logic package that the controller accepts due to missing validation.

Therefore, the technique is best categorized as a firmware update attack, leveraging weak or absent authenticity/integrity checks on update packages to modify OT controller behavior.