Socomec DIRIS Digiware M-70 Modbus RTU Over TCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Socomec DIRIS Digiware M-70 version 1.6.9. This issue arises in the Modbus RTU over TCP functionality, where a specially crafted network packet can disrupt service and weaken device credentials, causing default documented credentials to be reapplied. The vulnerability can be exploited by sending an unauthenticated packet via the Modbus RTU over TCP protocol.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing the device to undergo a factory reset, which disrupts normal operations. Additionally, the reset process restores default passwords for the device's webserver, known as WEBVIEW-M, allowing unauthorized access to user accounts on the web interface.

Reproduction

The vulnerability can be reproduced by sending a Modbus RTU over TCP message through port 503. The 'Write Single Register' function code (6) should be used to write the value 229 to register number 57856. This action triggers the factory reset mechanism on the device.

Remediation

Users can disable the writing capability over Modbus RTU over TCP by using the Cyber Security user profile in the DIRIS Digiware M-70 WEBVIEW-M interface. This change will also disable writing over ModbusTCP on port 502.