Socomec DIRIS Digiware M-70 Modbus RTU over TCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Socomec DIRIS Digiware M-70 version 1.6.9, specifically within its Modbus TCP and Modbus RTU over TCP functionalities. This vulnerability allows an attacker to disrupt device communication by sending a series of unauthenticated Modbus RTU over TCP messages to port 503, using the Write Single Register function code. The attack involves modifying the device's Modbus address, which interrupts communication with all connected tools or devices across various Modbus networks. Once the address is changed, the device fails to respond to Modbus RTU over TCP requests, leading to a persistent denial-of-service condition.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by disrupting Modbus RTU over TCP communications, with the device failing to respond to requests and instead returning an exception response indicating a communication failure.

Reproduction

To reproduce this vulnerability, send a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code. The first message should be sent to register 58112 with a value of 1000, indicating a forthcoming configuration change. Next, send a message to register 29440 with the value of the new Modbus address to be configured. Finally, send a message to register 57856 with a value of 161 to commit the configuration change. After this sequence, the device will enter a denial-of-service state.

Remediation

Users can disable Modbus over Ethernet writing using the Cyber Security user profile in the device's WEBVIEW-M interface.