Full Report
Multiple vulnerabilities were identified in the webserver of Q200 devices. These include Cross Site Request Forgery (CSRF), session fixation, missing secure flags in HTTP cookies and memory corruption issues due to missing input validation that could lead to remote code execution. Siemens has released an update for POWER METER SICAM Q200 family and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Flaws in SICAM Q200 Web Interface
## CVE Details
- **CVE ID:** CVE-2022-43439, CVE-2022-43545, CVE-2022-43546
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-20 (Improper Input Validation)
- **CVE ID:** CVE-2022-43398
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-384 (Session Fixation)
- **CVE ID:** CVE-2023-31238, CVE-2023-30901
- **CVSS Score:** 5.5 (Medium) / 4.3 (Medium)
- **CWE:** CWE-732 (Incorrect Permission Assignment), CWE-352 (CSRF)
## Affected Systems
- **Products:** POWER METER SICAM Q200 family
- **Versions:** All versions prior to V2.70
- **Configurations:** Devices with the web interface enabled (typically port 443/tcp).
## Vulnerability Description
The SICAM Q200 web server contains several security flaws ranging from session management issues to critical memory corruption vulnerabilities:
- **Remote Code Execution (RCE):** Three specific parameters—`Language`, `RecordType`, and `EndTime`—are not properly validated in web requests. This lack of validation can lead to memory corruption, allowing an authenticated attacker to crash the device or execute arbitrary code.
- **Session Hijacking:** The device fails to renew session cookies upon login/logout and accepts user-defined cookies (Session Fixation). Furthermore, cookies lack "Secure" flags in default configurations.
- **CSRF:** The interface does not implement sufficient Cross-Site Request Forgery protections, allowing attackers to perform actions on behalf of a logged-in user.
## Exploitation
- **Status:** PoC available (indicated by "E:P" in CVSS vectors); No reports of exploitation in the wild at this time.
- **Complexity:** Low (for RCE/CSRF); High (for Session Fixation/Cookie flags).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full account access and potential data exposure).
- **Integrity:** High (Ability to modify device configurations or execute code).
- **Availability:** High (Device crash/reboot and loss of monitoring capabilities).
## Remediation
### Patches
- **Update to V2.70 or later.** Siemens recommends immediate firmware upgrades for all affected devices.
- Patch Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109743592/
### Workarounds
- **Traffic Filtering:** Restrict access to port 443/tcp to known, trusted IP addresses only.
- **Browser Hygiene:** Do not access links from untrusted sources or browse other websites while simultaneously logged into the Q200 web interface.
## Detection
- **Indicators of Compromise:** Unexpected device reboots; unauthorized configuration changes; presence of unfamiliar session cookies.
- **Detection methods:** Monitor network traffic for unusual payloads in the `Language`, `RecordType`, or `EndTime` parameters of HTTPS requests directed at the device.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens.com/productcert/html/ssa-887249.html
- **Siemens Grid Security Guidelines:** hxxps://www.siemens.com/gridsecurity
- **Siemens ProductCERT:** hxxps://www.siemens.com/cert/advisories