Siemens SIMATIC TIM libcurl

Plan Patch7.5ICS-CERT ICSA-21-159-10Jun 8, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC TIM 1531 IRC devices contain vulnerabilities in the third-party libcurl component. These vulnerabilities could allow an attacker to extract sensitive information (CWE-200) and accept revoked SSL/TLS certificates as valid (CWE-295), potentially enabling man-in-the-middle attacks or disclosure of confidential data transmitted by the device.

What this means

What could happen

An attacker could intercept encrypted communications to the TIM 1531 IRC (by presenting a revoked certificate) or extract sensitive information from the device, potentially exposing credentials or process data used for remote management and monitoring of industrial networks.

Who's at risk

Water and electric utilities using Siemens SIMATIC TIM 1531 IRC industrial routers (including SIPLUS NET variants) for remote access, VPN termination, or network management of control system equipment. The TIM 1531 IRC is commonly deployed for secure connectivity between field sites and central control centers.

How it could be exploited

An attacker with network access to the TIM 1531 IRC could intercept TLS connections and present a revoked certificate, which the vulnerable libcurl library would accept as valid. Alternatively, the device could leak sensitive information through the libcurl vulnerability if the device initiates outbound connections. This requires network reachability to the device or interception of its communications.

Prerequisites

Network access to the TIM 1531 IRC device or ability to intercept its network communications
Device must be configured to initiate outbound HTTPS connections or accept incoming TLS connections

Remotely exploitableNo authentication requiredLow complexity attackInformation disclosure vulnerabilityCertificate validation bypass

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC TIM 1531 IRC (incl. SIPLUS NET variants)<V2.22.2

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the device to internal network or VPN only, limiting connections to trusted IP addresses

HARDENINGEnsure the device is not directly accessible from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC TIM 1531 IRC firmware to version 2.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate TIM 1531 IRC and control system devices behind firewalls, separate from the business network

CVEs (2)

CVE-2020-8169 CVE-2020-8286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fccc20da-a8d7-4739-8efe-3ece254adfd0