Share: Email | Twitter

ID

VDE-2021-033

Published

2021-08-12 13:02 (CEST)

Last update

2021-09-08 09:07 (CEST)

Vendor(s)

TRUMPF Laser GmbH

Product(s)

  • TruPulse
  • TruDisk
  • TruDiode
  • TruFiber
  • TruMicro2000
  • TruMicro5000
  • TruMicro6000
  • TruMicro7000
  • TruMicro8000
  • TruMicro9000
  • redpowerDirect

with TruControl version as from 1.04 to 3.0.0 and TRUMPF Peripheral Bus. (TRUMPF Peripheral Bus is a system expansion of the fieldbus interfaces of a laser control.)

Summary

TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:

CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612

In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:

CODESYS Advisory 2018-07

A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.

CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Link to advisory


CODESYS Advisory 2018-04

The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services

CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Link to advisory


CODESYS Advisory 2017-03

A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition

CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Link to advisory

Vulnerabilities



Weakness
Improper Access Control (CWE-284)
Summary

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access ...

Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an ...

Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

CODESYS Gateway 3 before 3.5.17.0 has a NULL pointer dereference that may result in a denial of service (DoS).

Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

Weakness
Improper Input Validation (CWE-20)
Summary

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low ...

Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of network access to the system.
When the system is reachable over the network these vulnerabilities can be exploited with following possible impacts/damages to the system:

  • Data loss in the laser control
  • Standstill of production
  • Damage by change of the laser control
  • Interception of sensitive data

Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Solution

  • We highly recommend updating to TruControl version 3.16.0 or higher as soon as possible
  • Please contact your service partner (service.tls@trumpf.com) for immediate instructions on how to retrieve the update

Reported by

CODESYS GmbH published the original reports.

TRUMPF Laser GmbH reported the vulnerability to CERT@VDE.