Socomec DIRIS Digiware M-70 Modbus TCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability arises in the Modbus TCP and Modbus RTU over TCP USB Function functionalities. An attacker can send a specially crafted, unauthenticated network packet via Modbus TCP over port 502, leading to the device becoming unresponsive. The issue requires a manual power cycle to restore normal functionality.

Impact

Exploitation of this vulnerability causes the device to become unresponsive to all transport and application layer protocols, including TCP/IP, HTTP, and Modbus, while ICMP remains functional. This unresponsive state can also be triggered by Modbus RTU over TCP messages sent on port 503.

Reproduction

To reproduce this vulnerability, send a Modbus TCP message over port 502 using the Write Single Register function code for register 57872. The second byte of the data must be set to either 1 or 4. Setting it to 1 will disrupt all transport and application layer protocols, except for ICMP. Setting it to 4 will cause the device to stop responding to any protocols, including ARP requests.

Remediation

Users can disable Modbus over Ethernet writing using the Cyber Security user profile in the WEBVIEW-M interface.