Full Report
SICAM Q100 devices contain multiple vulnerabilities that could allow an attacker to take over the session of a logged in user or to inject custom code. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in SICAM Q100 Power Meters
## CVE Details
- **CVE ID:** CVE-2022-43398, CVE-2022-43544, CVE-2022-43545, CVE-2022-43546
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-384 (Session Fixation), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** POWER METER SICAM Q100 (Models: 7KG9501-0AA01-0AA1, 7KG9501-0AA01-2AA1, 7KG9501-0AA31-0AA1, 7KG9501-0AA31-2AA1)
- **Versions:** All versions prior to V2.50
- **Configurations:** Devices with the web interface enabled and accessible via port 443/tcp.
## Vulnerability Description
The SICAM Q100 devices are affected by four distinct vulnerabilities within the web management interface:
1. **Session Management (CVE-2022-43398):** The device fails to renew session cookies after login/logout and accepts user-defined cookies. This allows an attacker to perform a session fixation attack, overwriting a user's cookie to hijack their session after they log in.
2. **Input Validation (CVE-2022-43544, CVE-2022-43545, CVE-2022-43546):** The web interface does not properly validate specific parameters—`StartDay`, `RecordType`, and `EndTime`. Authenticated attackers can exploit these flaws to trigger a buffer overflow or logic error, resulting in a device crash (DoS) or Remote Code Execution (RCE).
## Exploitation
- **Status:** PoC available (indicated by "E:P" in the CVSS vector)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to device data and potential session hijacking)
- **Integrity:** High (Ability to execute custom code and change configurations)
- **Availability:** High (Device can be crashed remotely, leading to an automatic reboot)
## Remediation
### Patches
- **Update to V2.50 or later:** Siemens has released firmware version V2.50 to address these vulnerabilities across all affected hardware variations.
### Workarounds
- **Access Control:** Restrict access to the web interface (port 443/tcp) to trusted IP addresses only.
- **Network Segmentation:** Ensure devices are placed in protected IT/OT environments behind firewalls and VPNs.
## Detection
- **Indicators of Compromise:** Unusual device reboots; unauthorized configuration changes; presence of unrecognized session cookies in web traffic.
- **Detection methods:** Monitor network traffic for malformed requests targeting the `StartDay`, `RecordType`, or `EndTime` parameters on port 443. Use industrial IDS signatures tailored for Siemens SICAM web interface traffic.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-570294.html
- **Firmware Download:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109743524/
- **General Guidelines:** hxxps://www.siemens[.]com/gridsecurity