Socomec DIRIS Digiware M-70 Modbus TCP and RTU Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability arises in the Modbus TCP and Modbus RTU over TCP functionalities. An attacker can send a sequence of unauthenticated Modbus TCP messages to port 502, using the Write Single Register function code, to disrupt the device's operation. The attack involves modifying the gateway's Modbus address, which interrupts communication with all connected tools or devices across various Modbus networks, leaving the device unresponsive to standard Modbus RTU over TCP requests.

Impact

Exploitation of this vulnerability disrupts Modbus communications, causing the device to become unresponsive to Modbus RTU over TCP requests and to return error code 11 for Modbus TCP requests, indicating a failure to respond.

Reproduction

To reproduce this vulnerability, send a series of Modbus TCP messages to port 502 using the Write Single Register function code. Start by sending a message to register 58112 with a value of 1000 to indicate a forthcoming configuration change. Then, send a message to register 29440 with the value of the new Modbus address to be set. Finally, send a message to register 57856 with a value of 161 to commit the change. Once this sequence is completed, the device will enter a denial-of-service state.

Remediation

Users can disable Modbus over Ethernet writing using the Cyber Security user profile in the device's WEBVIEW-M interface.