Siemens SICAM Q100 Devices

MonitorCVSS 5.5ICS-CERT ICSA-23-348-13Dec 12, 2023

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

The SICAM Q100 power meter web server (versions before V2.60) contains a Cross-Site Request Forgery (CSRF) vulnerability and lacks proper cookie protection flags. This allows an attacker to perform arbitrary actions on the device on behalf of a legitimate logged-in user, potentially altering meter settings, reading data, or resetting configuration without the user's knowledge. The vulnerability requires the user to visit a malicious website while maintaining an active session with the SICAM Q100 web interface.

What this means

What could happen

An attacker could trick a legitimate user into performing unintended actions on the power meter (such as changing settings or resetting data) through a malicious website, or hijack the user's session to impersonate them and make unauthorized configuration changes.

Who's at risk

Power utility operators and energy facility managers responsible for meter management and power quality monitoring systems. Affects Siemens SICAM Q100 power meters used in substations and electrical distribution systems.

How it could be exploited

An attacker crafts a malicious web page containing hidden requests that target the SICAM Q100 web interface. When a logged-in administrator visits this page, the browser automatically sends their authenticated session cookies to the power meter, allowing the attacker to perform actions on their behalf without their knowledge or explicit consent.

Prerequisites

User with administrative or management access to SICAM Q100 web interface must be logged in
That user must visit or click a link to a website controlled by the attacker
Web browser must have cookies enabled
SICAM Q100 must be reachable from the network where the user is accessing the attacker's website

CSRF vulnerability allows unauthorized actions on behalf of authenticated usersMissing security cookie flags reduce session protectionRequires user interaction (user must visit malicious site while logged in)Medium CVSS score (5.5)Web interface is remotely accessible

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

POWER METER SICAM Q100<V2.602.60

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the SICAM Q100 web management interface using firewall rules; only allow management traffic from authorized workstations or management networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM Q100 firmware to version 2.60 or later

Long-term hardening

0/2

HARDENINGSegment the SICAM Q100 from the business network and internet; place it in a protected OT network zone with restricted outbound access to prevent users from accessing untrusted external websites

HARDENINGUse a VPN with multi-factor authentication for any remote administrative access to SICAM Q100 devices

CVEs (2)

CVE-2023-30901 CVE-2023-31238

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f273bc41-e951-47fa-855a-91b9b124beb8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.