Socomec DIRIS Digiware M-70 Modbus RTU Over TCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability arises in the Modbus TCP and Modbus RTU over TCP USB Function functionalities. An attacker can send an unauthenticated, specially crafted network packet via Modbus RTU over TCP on port 503, leading to the device becoming unresponsive. The issue can be triggered by sending a message with specific data using the Write Single Register function code for register 57872. If the second byte of the data is set to 1 or 4, the device will fail to respond to various protocols, including TCP/IP, HTTP, and Modbus, while ICMP remains functional. Normal functionality can only be restored by manually power cycling the device.

Impact

Exploitation of this vulnerability causes the device to become unresponsive, disrupting all transport and application layer protocols, including TCP/IP, HTTP, and Modbus, while ICMP remains functional. This unresponsive state can also be induced by setting the second byte of the data to 4, causing the device to fail to respond to any protocols, including ARP requests.

Reproduction

To reproduce this vulnerability, send a Modbus RTU over TCP message to the device on port 503, targeting register 57872 with the Write Single Register function code. The second byte of the message must be set to either 1 or 4. If set to 1, the device will become unresponsive to all transport and application layer protocols except ICMP. If set to 4, the device will stop responding to any protocols, including ARP requests.

Remediation

Using the Cyber Security user profile in WEBVIEW-M, disable Modbus over Ethernet Writing.