Siemens SENTRON 7KM PAC3x20
Monitor4.6ICS-CERT ICSA-24-074-01Mar 12, 2024
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The read protection of internal flash memory in SENTRON 7KM PAC3120 and PAC3220 power meter devices was not properly enabled during manufacturing. Devices manufactured between October 3 and December 15, 2023 running firmware 3.2.3 or 3.2.4 are affected. An attacker with physical access could read sensitive data from the flash memory using specialized hardware tools. Siemens has released firmware version 3.3.0 and later that corrects this issue.
What this means
What could happen
An attacker with physical access to a SENTRON 7KM PAC device could read sensitive data from the internal flash memory if the device was manufactured during a specific window (October–December 2023). This could expose configuration data, parameters, or credentials stored on the device.
Who's at risk
Manufacturing facilities and utilities using Siemens SENTRON 7KM PAC power meter devices, particularly those installed between October and December 2023. This affects electrical distribution monitoring and metering equipment that track power quality and consumption in industrial settings and utilities.
How it could be exploited
An attacker must physically access the affected device and use specialized hardware tools or debug interfaces to read the internal flash memory. The vulnerability exists only in devices manufactured between October 3, 2023 and December 15, 2023 that are still running firmware version 3.2.3.
Prerequisites
- Physical access to the device
- Device manufactured between October 3, 2023 and December 15, 2023
- Device running firmware version 3.2.3 or 3.2.4 (within the affected date range)
- Specialized hardware tools to access internal flash or debug interfaces
Physical access requiredLow exploitation complexityAffects confidentiality of stored dataLimited manufacturing window (October–December 2023)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SENTRON 7KM PAC3120 AC/DC≥ V3.2.3 <V3.2.4 only when manufactured between LQN231003... and LQN231215... with LQNYYMMDD...3.2.4
SENTRON 7KM PAC3120 DC≥ V3.2.3 <V3.2.4 only when manufactured between LQN231003... and LQN231215... with LQNYYMMDD...3.2.4
SENTRON 7KM PAC3220 AC/DC≥ V3.2.3 <V3.2.4 only when manufactured between LQN231003... and LQN231215... with LQNYYMMDD...3.2.4
SENTRON 7KM PAC3220 DC≥ V3.2.3 <V3.2.4 only when manufactured between LQN231003... and LQN231215... with LQNYYMMDD...3.2.4
Remediation & Mitigation
0/3
Do now
0/1HARDENINGRestrict physical access to SENTRON 7KM PAC devices to trusted personnel only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SENTRON 7KM PAC3120 AC/DC
HOTFIXUpdate affected SENTRON 7KM PAC3120 AC/DC, PAC3120 DC, PAC3220 AC/DC, and PAC3220 DC devices to firmware version 3.3.0 or later
Long-term hardening
0/1HARDENINGEnsure power meter devices are protected by firewalls and isolated from business networks and the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8315a674-96fa-448f-9da9-7ab7ad079012