The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60b) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes this vulnerability is available.
Machines with a running and correctly installed mGuard hardware firewall cannot be exploited by this vulnerability if used as intended (according to the manual).
Update A, 2023-11-13
Removed CVE-2023-4701 because it was revoked.
TruControl laser control software from versions 1.60.0 to 3.40.0 use a vulnerable X.Org server versions. The affected X.Org vulnerability is not validating the request length properly for the handler “ProcXkbSetGeometry”. An authenticated Attacker could craft a request which could lead to memory out-of bounds write.
A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.
TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:
CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612
In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:
CODESYS Advisory 2018-07
A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.
CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CODESYS Advisory 2018-04
The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services
CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CODESYS Advisory 2017-03
A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition
CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.