|Article No°||Product Name||Affected Version(s)|
|redpowerDirect||2.14.0 <= 3.14.0|
|TruDiode||2.14.0 <= 3.14.0|
|TruDisk||2.14.0 <= 3.14.0|
|TruFiber||2.14.0 <= 3.14.0|
|TruMicro2000||2.14.0 <= 3.14.0|
|TruMicro5000||2.14.0 <= 3.14.0|
|TruMicro6000||2.14.0 <= 3.14.0|
|TruMicro7000||2.14.0 <= 3.14.0|
|TruMicro8000||2.14.0 <= 3.14.0|
|TruMicro9000||2.14.0 <= 3.14.0|
|TruPulse||2.14.0 <= 3.14.0|
TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system.
When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:
Safety is not affected since it is controlled by an independent electromechanical safety mechanism.
CVE-2021-3156 was found by Qualys Research Labs
TRUMPF reported this advisory to CERT@VDE