Full Report
The web server of SICAM Q100 devices, versions before V2.60, contains a Cross Site Request Forgery (CSRF) vulnerability and is missing cookie protection flags. This could allow an attacker to perform arbitrary actions on the device on behalf of a legitimate user, or impersonate that user. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: CSRF and Missing Cookie Protection in Siemens SICAM Q100
## CVE Details
- **CVE ID:** CVE-2023-30901, CVE-2023-31238
- **CVSS Score:** 5.5 (Medium) - *Highest aggregate score*
- **CWE:**
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-732: Incorrect Permission Assignment for Critical Resource
## Affected Systems
- **Products:** POWER METER SICAM Q100 (Models: 7KG9501-0AA01-0AA1, 7KG9501-0AA01-2AA1, 7KG9501-0AA31-0AA1, 7KG9501-0AA31-2AA1)
- **Versions:** All versions prior to V2.60
- **Configurations:** Devices using default web server settings.
## Vulnerability Description
The web interface of affected SICAM Q100 devices contains two distinct security flaws:
1. **CVE-2023-30901:** A Cross-Site Request Forgery (CSRF) vulnerability where the web server does not sufficiently verify if a request was intentionally sent by the authenticated user.
2. **CVE-2023-31238:** The application fails to implement security flags (such as `Secure` or `HttpOnly`) on session cookies. This lack of protection makes it easier for an attacker to intercept or access session tokens.
## Exploitation
- **Status:** PoC Available (Exploitation status "P" - Proof of Concept reported in CVSS vector).
- **Complexity:** Medium to High (Requires user interaction or specific network conditions).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Low (Session tokens or user data may be exposed).
- **Integrity:** Low (Attackers can perform actions on behalf of a legitimate user).
- **Availability:** Low (Potential for unauthorized configuration changes impacting device operation).
## Remediation
### Patches
- **Update to V2.60 or later:** Siemens has released firmware version V2.60 to address these flaws. Updates can be obtained via the Siemens Industry Support portal.
### Workarounds
- **Session Management:** Do not visit untrusted websites or click links from unknown sources while simultaneously logged into the SICAM Q100 web interface.
- **Access Control:** Restrict network access to port 443/tcp (HTTPS) to only trusted IP addresses or management VLANs.
- **Infrastructure:** Use firewalls, VPNs, and network segmentation to isolate the power meters from the general corporate network or the internet.
## Detection
- **Indicators of Compromise:** Unusual configuration changes originating from legitimate user accounts; unauthorized administrative actions logged in the device audit trail.
- **Detection Methods:** Vulnerability scanners can be used to identify the missing security flags on HTTP cookies. Network monitoring can identify CSRF attempts by inspecting cross-origin requests directed at the device's web management port.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-480095.html
- **Product Support:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109743524/
- **General Guidelines:** hxxps://www.siemens[.]com/gridsecurity