Share: Email | Twitter

ID

VDE-2022-016

Published

2022-05-02 12:00 (CEST)

Last update

2022-05-02 12:06 (CEST)

Vendor(s)

TRUMPF Laser GmbH
TRUMPF Werkzeugmaschinen SE + Co. KG

Product(s)

Article No° Product Name Affected Version(s)
TruTops Boost V13.01 <= V13.05.
TruTops Boost = V13.08.21
TruTops Fab V22.01. <= V22.05.
TruTops Fab = V22.08.21
TruTops Monitor V22.01. <= V22.05.
TruTops Monitor = V22.08.21

Summary

A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.


Weakness

Missing Authentication for Critical Function  (CWE-306) 

Summary

Multiple Version of TRUMPF products expose a service function without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.


Impact

The stated TRUMPF products implement a newly introduced service function that enables functionality intentionally restricted to service technicians via network access. Using this function without authentication, an attacker connected to the network could execute several commands on the host computer using elevated privileges.

Solution

Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link: https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ

Reported by

CERT@VDE coordinated with TRUMPF