Multiple Vulnerabilities in the Web Interface of SICAM Q200 Devices

Act Now9.9SSA-887249Jun 13, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the SICAM Q200 webserver include Cross Site Request Forgery (CSRF), session fixation, missing secure flags in HTTP cookies, and memory corruption due to missing input validation that could lead to remote code execution. An attacker with valid credentials and network access to the web interface could perform unauthorized configuration changes or execute arbitrary code on the device.

What this means

What could happen

An attacker with valid credentials could exploit CSRF or session fixation vulnerabilities to perform unauthorized configuration changes on the meter, or trigger memory corruption to execute arbitrary code and compromise the device's integrity and measurements.

Who's at risk

Energy utilities operating Siemens POWER METER SICAM Q200 power meters in versions below 2.70. This includes meter reading, billing, and power quality monitoring systems where Q200 devices are deployed for substation or feeder-level metering.

How it could be exploited

An attacker with network access to the Q200 web interface could craft a malicious request or capture a user session to bypass CSRF protections. Alternatively, memory corruption in input validation could allow injection of arbitrary code if the attacker can reach the webserver, potentially gaining control of the device.

Prerequisites

Valid credentials for the Q200 web interface
Network access to the Q200 device on port 80 or 443
For CSRF attacks: ability to trick an authenticated user into visiting a malicious page
For memory corruption: crafted input to vulnerable endpoint

remotely exploitablerequires valid credentialsaffects critical metering infrastructurememory corruption could enable code executionlow attack complexity

Exploitability

Moderate exploit probability (EPSS 1.8%)

Affected products (1)

ProductAffected VersionsFix Status

POWER METER SICAM Q200 family< V2.702.70

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the Q200 web interface using firewall rules; only permit connections from authorized engineering workstations on your management network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate POWER METER SICAM Q200 to firmware version 2.70 or later

HARDENINGReview and disable any unnecessary web interface features or services that are not required for normal meter operation

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate meter management interfaces from general IT networks

CVEs (6)

CVE-2022-43398 CVE-2022-43439 CVE-2022-43545 CVE-2022-43546 CVE-2023-30901 CVE-2023-31238

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ecf887d1-4f74-420e-9d13-1719629a6770