TRUMPF Laser GmbH: TruControl 2.14.0 to 3.14.0 affected by recent sudo vulnerability (CVE-2021-3156)

VDE-2021-011 (2021-03-22 13:04 UTC+0200)

CVE Identifier

CVE-2021-3156

Affected Vendors

TRUMPF Laser GmbH

Affected Products

  • TruPulse
  • TruDisk
  • TruDiode
  • TruFiber
  • TruMicro2000
  • TruMicro5000
  • TruMicro6000
  • TruMicro7000
  • TruMicro8000
  • TruMicro9000
  • redpowerDirect

Affected Versions: TruControl v2.14.0 to 3.14.0

Vulnerability Type

Out-of-Bounds Write (CWE-787)

Summary

TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system.

When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:

  • Data loss in the laser control
  • Standstill of production
  • Damage by change of the laser control

Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Solution

  • Update to TruControl version 3.16.0 or higher or
  • Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch

Reported by

CVE-2021-3156 was found by Qualys Research Labs

TRUMPF reported this advisory to CERT@VDE