Input validation error in POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) and POWER METER SICAM Q100 (7KG9501-0AA31-2AA1)

#VU69171 Input validation error in POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) and POWER METER SICAM Q100 (7KG9501-0AA31-2AA1)

Published: 2022-11-09 | Updated: 2022-11-11

Vulnerability identifier: #VU69171

Vulnerability risk: Medium

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-43545

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
POWER METER SICAM Q100 (7KG9501-0AA01-2AA1)
Hardware solutions / Firmware
POWER METER SICAM Q100 (7KG9501-0AA31-2AA1)
Hardware solutions / Firmware

Vendor:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the RecordType-parameter. A remote user can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-570294.pdficsa-22-314-11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities Siemens SICAM Q200 Devices

Multiple vulnerabilities in Siemens SICAM Q100