#VU69171 Input validation error in POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) and POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) - CVE-2022-43545

Cybersecurity Help s.r.o.

Published: 2022-11-09 | Updated: 2022-11-11

Vulnerability identifier: #VU69171

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-43545

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
POWER METER SICAM Q100 (7KG9501-0AA01-2AA1)
Hardware solutions / Firmware
POWER METER SICAM Q100 (7KG9501-0AA31-2AA1)
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the RecordType-parameter. A remote user can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

POWER METER SICAM Q100 (7KG9501-0AA01-2AA1): before 2.50

POWER METER SICAM Q100 (7KG9501-0AA31-2AA1): before 2.50

External links
https://cert-portal.siemens.com/productcert/pdf/ssa-570294.pdficsa-22-314-11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities Siemens SICAM Q200 Devices

Multiple vulnerabilities in Siemens SICAM Q100