Socomec DIRIS Digiware M-70 Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows unauthorized access by exploiting the webserver's improper handling of session cookies. Although the session cookie's SameSite attribute is set to Strict, preventing cross-site cookie transmission, the WEBVIEW-M implementation fails to reject requests lacking a session cookie. As a result, malicious HTTP requests can be processed as authorized, leading to potential unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for cross-site request forgery attacks, where an attacker can perform actions on behalf of an authenticated user without their consent. For example, an attack could involve changing a user's password, thereby gaining access to their account with elevated privileges.

Reproduction

To reproduce this vulnerability, log into the Socomec DIRIS Digiware M-70 WEBVIEW-M interface. While still logged in, visit a malicious webpage designed to exploit this vulnerability. The webpage should include a form that submits a POST request to the DIRIS Digiware M-70 authentication endpoint, such as one that modifies account details. The form must be set to automatically submit when the page loads. If successful, this will trigger a CSRF attack by changing the password of the Admin user to a value controlled by the attacker, such as 'CSRFAdmin1!', allowing access to the Admin account.

Remediation

Users are advised to update to DIRIS Digiware WEBVIEW M-50 / M-70 version 1.7 or DIRIS Digiware D-50 / D-70 version 2.10. Instructions for downloading these versions are available on the Socomec website.