Can you explain this vulnerability to me?

This vulnerability is a denial of service issue in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. An attacker can send a specially crafted, unauthenticated Modbus TCP message to port 502 using the Write Single Register function code (6) to write the value 1 to register 4352. This changes the Modbus address to 15 and causes the device to enter a denial-of-service state, making it unavailable for normal operation.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial-of-service condition on the affected device, rendering it unavailable or non-functional. Since the device stops responding properly after the attack, it can disrupt operations that rely on the Modbus communication, potentially leading to downtime or loss of monitoring and control capabilities.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring network traffic for Modbus TCP messages sent to port 502 that use the Write Single Register function code (6) targeting register 4352 with the value 1. Network analysis tools like Wireshark or tcpdump can be used to capture and filter such packets. For example, using tcpdump: tcpdump -i <interface> 'tcp port 502' and then inspecting for Modbus function code 6 writing value 1 to register 4352.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to port 502 on the affected devices to trusted hosts only, implementing network segmentation to isolate the device, and monitoring for suspicious Modbus TCP traffic. Additionally, applying any available patches or updates from the vendor when released is recommended.

Useful 0 Not Useful 0