Share: Email | Twitter

ID

VDE-2024-005

Published

2024-01-23 08:00 (CET)

Last update

2024-01-22 15:33 (CET)

Vendor(s)

TRUMPF Laser GmbH
TRUMPF Werkzeugmaschinen SE + Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Boost <= V16.5
FAB-Boost mixed installation <= V22.7
FAB (Storage) <= V22.7
Oseon-Boost mixed installation <= V3.5
Oseon (Storage) <= V3.2
TruTops Cell <= V2.31.0
TruTops Classic <= V12.1
TruTops Mark <= V6.2

Summary

Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer
underflow vulnerability in 7-zip versions up to and including 22.x
This vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,
change of data or disruption of the whole service.


Last Update:

Jan. 15, 2024, 1:37 p.m.

Weakness

Integer Underflow (Wrap or Wraparound)  (CWE-191) 

Summary

Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.


Impact

The stated TRUMPF products include a vulnerable version of 7-zip which can be exploited to take over
the server they’re installed on. This can impact confidentiality, integrity and availability of information on
the affected system.

Solution

Please download the replacement tool (LINK).

For additional questions please contact your TRUMPF Service with the PR number 501709.

Reported by

CERT@VDE coordinated with TRUMPF