|Article No°||Product Name||Affected Version(s)|
|MonitoringAnalyzer||V1.0 <= V1.3|
|Oseon||V1.0.0 <= V3.0.22|
|ProgrammingTube||V1.0.1 <= V4.6.3|
|TecZoneBend||V18.02.R8 <= V23.06.01|
|ToPsCalculation||V14.00 <= V22.00.00|
|Tops Unfold||= V05.03.00.00|
|TrumpfLicenseExpert||V1.5.2 <= V1.11.1|
|TruTops||V08.00 <= V12.01.00.00|
|TruTopsBoost||V06.00.23.00 <= V16.0.22|
|TruTops Cell Classic||<= V09.09.02|
|TruTops Cell SW48||V01.00 <= V02.26.0|
|TruTopsFab (inkl.TruTops Monitor)||V15.00.23.00 <= V22.8.25|
|TruTopsFab_Storage_SmallStore||V14.06.20 <= V20.04.20.00|
|TruTops Mark 3D||V01.00 <= V06.01|
|TruTopsPrint||V00.06.00 <= V01.00|
|TruTopsWeld||V188.8.131.52 <= V9.0.28148.1|
|TubeDesign||V08.00 <= V14.06.150|
The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60b) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes this vulnerability is available.
Machines with a running and correctly installed mGuard hardware firewall cannot be exploited by this vulnerability if used as intended (according to the manual).
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
A Improper Privilege Management vulnerability through an incorrect use of privileged APIs in CodeMeter Runtime versions prior to 7.60c allow a local, low privileged attacker to use an API call for escalation of privileges in order gain full admin access on the host system.
An attacker exploiting the vulnerabilities in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.
Exploiting the vulnerabilities in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full access on this workstation for an already authenticated user (logged in locally to the PC).
Get the latest version of the TRUMPF License Expert software (>= V2.0.0) at trumpf.com/de_DE/produkte/software/software-lizenzierung and install it on all affected servers and workstations.
CERT@VDE coordinated with TRUMPF