OTPulse
FeedAboutContact

Siemens SICAM Q100 Devices

Monitor5.5ICS-CERT ICSA-23-348-13Dec 12, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

The SICAM Q100 power meter web server (versions before V2.60) contains a Cross-Site Request Forgery (CSRF) vulnerability and lacks proper cookie protection flags. This allows an attacker to perform arbitrary actions on the device on behalf of a legitimate logged-in user, potentially altering meter settings, reading data, or resetting configuration without the user's knowledge. The vulnerability requires the user to visit a malicious website while maintaining an active session with the SICAM Q100 web interface.

What this means
What could happen
An attacker could trick a legitimate user into performing unintended actions on the power meter (such as changing settings or resetting data) through a malicious website, or hijack the user's session to impersonate them and make unauthorized configuration changes.
Who's at risk
Power utility operators and energy facility managers responsible for meter management and power quality monitoring systems. Affects Siemens SICAM Q100 power meters used in substations and electrical distribution systems.
How it could be exploited
An attacker crafts a malicious web page containing hidden requests that target the SICAM Q100 web interface. When a logged-in administrator visits this page, the browser automatically sends their authenticated session cookies to the power meter, allowing the attacker to perform actions on their behalf without their knowledge or explicit consent.
Prerequisites
  • User with administrative or management access to SICAM Q100 web interface must be logged in
  • That user must visit or click a link to a website controlled by the attacker
  • Web browser must have cookies enabled
  • SICAM Q100 must be reachable from the network where the user is accessing the attacker's website
CSRF vulnerability allows unauthorized actions on behalf of authenticated usersMissing security cookie flags reduce session protectionRequires user interaction (user must visit malicious site while logged in)Medium CVSS score (5.5)Web interface is remotely accessible
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
POWER METER SICAM Q100<V2.602.60
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to the SICAM Q100 web management interface using firewall rules; only allow management traffic from authorized workstations or management networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM Q100 firmware to version 2.60 or later
Long-term hardening
0/2
HARDENINGSegment the SICAM Q100 from the business network and internet; place it in a protected OT network zone with restricted outbound access to prevent users from accessing untrusted external websites
HARDENINGUse a VPN with multi-factor authentication for any remote administrative access to SICAM Q100 devices
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f273bc41-e951-47fa-855a-91b9b124beb8
Siemens SICAM Q100 Devices | CVSS 5.5 - OTPulse