Vulnerabilities in the Web Interface of SICAM Q100 Devices before V2.60

Monitor5.5SSA-480095Dec 12, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

The SICAM Q100 power meter web interface (versions before V2.60) contains a Cross Site Request Forgery (CSRF) vulnerability and lacks secure cookie protection flags. An attacker can trick an authenticated user into performing unintended actions on the device or intercept session cookies. Siemens has released version 2.60 and later to address these issues.

What this means

What could happen

An attacker could use CSRF to trick an authenticated user into performing unwanted actions on the power meter, such as changing device configuration or settings. Missing cookie protections could allow session hijacking or credential theft if the device communicates over unencrypted channels.

Who's at risk

Energy utilities and power generation facilities using Siemens SICAM Q100 power meters should care about this issue. The vulnerability affects meters used for electrical grid monitoring and power measurement in substations and distribution networks.

How it could be exploited

An attacker crafts a malicious webpage or email link that, when clicked by an authenticated SICAM Q100 administrator, executes unintended actions on the device (e.g., configuration changes) without the user's knowledge. This works because the web server does not properly validate request origins and lacks secure cookie flags to prevent interception.

Prerequisites

Legitimate user (with administrator or engineer credentials) must be logged into SICAM Q100 web interface
Attacker must trick the user into visiting a malicious webpage or clicking a crafted link while logged in
No network access to the device itself is required by the attacker

Remotely exploitable via web interfaceRequires valid user credentials and user interactionLow exploitation complexityAffects grid infrastructure monitoring and control

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

POWER METER SICAM Q100<V2.602.60

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEducate users to avoid clicking suspicious links or visiting untrusted websites while logged into the SICAM Q100 web interface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM Q100 firmware to version 2.60 or later

Long-term hardening

0/1

HARDENINGImplement network access controls to limit who can reach the SICAM Q100 web interface (e.g., restrict to engineering workstations only)

CVEs (2)

CVE-2023-30901 CVE-2023-31238

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec43cd1e-9e21-4d46-87aa-2be6e641272c