Overview
CVE-2024-49572 is a high-severity denial of service (DoS) vulnerability affecting Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability resides within the Modbus TCP functionality of the device. An attacker can exploit this flaw by sending a specially crafted network packet, leading to a denial of service condition. Furthermore, successful exploitation can weaken the device’s credentials, potentially reverting them to default, documented credentials.
Technical Details
The vulnerability stems from improper handling of specific Modbus TCP requests. An unauthenticated attacker can send a malformed packet to the DIRIS Digiware M-70 device. This malicious packet can cause the device to crash or become unresponsive, resulting in a denial of service. A secondary, and perhaps more critical, consequence of the DoS is the potential for the device to revert to factory default credentials which are often publicly available, creating a significant security risk.
CVSS Analysis
- CVE ID: CVE-2024-49572
- Severity: HIGH
- CVSS Score: 7.2
- The CVSS score reflects the potential for remote exploitation without authentication, leading to a denial of service. The ability to weaken credentials further amplifies the risk associated with this vulnerability.
Possible Impact
The exploitation of CVE-2024-49572 can have significant impact in operational technology (OT) environments where Socomec DIRIS Digiware M-70 devices are deployed. Potential consequences include:
- Loss of Monitoring Capabilities: A denial of service can interrupt the monitoring of electrical parameters, hindering operational awareness.
- Process Disruption: In critical infrastructure environments, a DoS condition could lead to disruptions in essential processes.
- Unauthorized Access: The weakening of credentials allows attackers to gain access to the device with default credentials, potentially leading to malicious configuration changes or data exfiltration.
- Compromised Device: With access via the default credentials, the attacker can further compromise the devices and use it to attack other systems.
Mitigation and Patch Steps
Socomec has released a security advisory addressing this vulnerability. Users are strongly advised to take the following steps:
- Apply the Latest Firmware Update: Upgrade the DIRIS Digiware M-70 devices to the latest firmware version provided by Socomec. This patch addresses the vulnerability and prevents exploitation.
- Network Segmentation: Implement network segmentation to isolate the DIRIS Digiware M-70 devices from untrusted networks. This reduces the attack surface and limits the potential impact of exploitation.
- Strong Passwords: Ensure that strong, unique passwords are used for all device accounts. Avoid using default or easily guessable passwords. Change default credentials IMMEDIATELY.
- Monitor Network Traffic: Implement network intrusion detection systems (IDS) to monitor for suspicious Modbus TCP traffic.
- Restrict Access: Implement Access Control Lists (ACLs) on the network to restrict which IP addresses can communicate with the devices.