Summary
TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
Impact
To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system.
When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:
- Data loss in the laser control
- Standstill of production
- Damage by change of the laser control
Safety is not affected since it is controlled by an independent electromechanical safety mechanism.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Hardware TruDiode | TruControl 2.14.0<=3.14.0 | |
| Hardware TruDisk | TruControl 2.14.0<=3.14.0 | |
| Hardware TruFiber | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro2000 | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro5000 | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro6000 | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro7000 | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro8000 | TruControl 2.14.0<=3.14.0 | |
| Hardware TruMicro9000 | TruControl 2.14.0<=3.14.0 | |
| Hardware redpowerDirect | TruControl 2.14.0<=3.14.0 |
Vulnerabilities
Expand / Collapse allA Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.
Remediation
- Update to TruControl version 3.16.0 or higher
- Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 03/22/2021 09:59 | initial revision |
| 2 | 04/10/2025 15:00 | Fixed csaf reference URL and publisher information. |
| 3 | 05/14/2025 15:00 | Fix: added distribution |