OTPulse
FeedAboutContact

Siemens SICAM PQ Analyzer

Low Risk3.4ICS-CERT ICSA-22-013-06Jan 11, 2022
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

SICAM PQ Analyzer contains an unquoted search path vulnerability in registry entries. When the application or Windows searches for dependent executables, it may load malicious code from writable directories (such as C:\Program.exe) if an attacker can write files to those paths. This vulnerability affects versions prior to 3.18.

What this means
What could happen
An attacker with local access could plant malicious executable files in system directories and cause the application to execute them with the privileges of the user or service running SICAM PQ Analyzer, potentially compromising power quality analysis and reporting in the electrical grid.
Who's at risk
Electrical utilities and grid operators running Siemens SICAM PQ Analyzer for power quality monitoring and analysis on Windows systems. The vulnerability requires local system access, so it primarily threatens environments where engineering workstations or analyzer computers may be accessed by staff with limited controls or where USB/removable media policies are not enforced.
How it could be exploited
An attacker must have local file system write access to the Windows root directory or Program Files path. They would create a malicious executable (with any extension: .exe, .com, .msi, etc.) in a location the application searches during startup. When SICAM PQ Analyzer starts, the unquoted registry path causes Windows to execute the attacker's malicious code instead of the legitimate library, running with the application's privileges.
Prerequisites
  • Local file system write access to C:\ or C:\Program Files paths
  • Ability to create executable files in those directories or subdirectories
  • Knowledge of when the SICAM PQ Analyzer application will run or restart
Local exploitation only (not remotely exploitable)Requires local file write accessLow CVSS score (3.4) reflects low complexity and high privilege requirementsAffects power quality monitoring infrastructure
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
SICAM PQ Analyzer<V3.183.18
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDApply Group Policy Software Restriction or equivalent access control to prevent creation of executables in C:\Program.* and C:\Program Files (x86)\Siemens Energy\SICAM\PQ.* directories. Block all executable extensions (.exe, .com, .msi, .bat, etc.) in these paths.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM PQ Analyzer to version 3.18 or later
Long-term hardening
0/2
HARDENINGRestrict local administrative and file system write access to workstations running SICAM PQ Analyzer; limit to authorized personnel only
HARDENINGImplement network segmentation and firewall rules to restrict access to analyzer workstations; control USB and removable media access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/21022efb-7e2f-4b71-b9a3-4c4ad437681c
Siemens SICAM PQ Analyzer | CVSS 3.4 - OTPulse