Back to overview

TRUMPF: Multiple products prone to X.Org server vulnerabilities

VDE-2022-049
Last update
05/22/2025 15:03
Published at
11/07/2022 12:43
Vendor(s)
Trumpf SE + Co. KG
External ID
VDE-2022-049
CSAF Document
Download

Summary

TruControl laser control software from versions 1.60.0 to 3.40.0 use a vulnerable  X.Org server versions. The affected X.Org vulnerability is not validating the request length properly for the handler 'ProcXkbSetGeometry'. An authenticated Attacker could craft a request which could lead to memory out-of bounds write.

Impact

When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:

  • Data loss in the laser control
  • Standstill of production
  • Damage by change of the laser control

Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Remote Code Execution as one of the mentioned impacts in the vulnerability description of CVE-2022-2320 is not possible since no SSH Forwarding is used.

Affected Product(s)

Model no. Product name Affected versions
TruControl in TruDiode 1.60.0<=3.40.0 TruControl in TruDiode 1.60.0<=3.40.0
TruControl in TruDisk 1.60.0<=3.40.0 TruControl in TruDisk 1.60.0<=3.40.0
TruControl in TruFiber 1.60.0<=3.40.0 TruControl in TruFiber 1.60.0<=3.40.0
TruControl in TruMicro2000 1.60.0<=3.40.0 TruControl in TruMicro2000 1.60.0<=3.40.0
TruControl in TruMicro5000 1.60.0<=3.40.0 TruControl in TruMicro5000 1.60.0<=3.40.0
TruControl in TruMicro6000 1.60.0<=3.40.0 TruControl in TruMicro6000 1.60.0<=3.40.0
TruControl in TruMicro7000 1.60.0<=3.40.0 TruControl in TruMicro7000 1.60.0<=3.40.0
TruControl in TruMicro8000 1.60.0<=3.40.0 TruControl in TruMicro8000 1.60.0<=3.40.0
TruControl in TruMicro9000 1.60.0<=3.40.0 TruControl in TruMicro9000 1.60.0<=3.40.0
TruControl in TruPulse 1.60.0<=3.40.0 TruControl in TruPulse 1.60.0<=3.40.0
TruControl in redpowerDirect 1.60.0<=3.40.0 TruControl in redpowerDirect 1.60.0<=3.40.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Out-of-bounds Write (CWE-787)
Summary

A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Protection for Outbound Error Messages and Alert Signals (CWE-1320)
Summary

A flaw was found in the Xorg-x11-server. An out-of-bounds access issue can occur in the ProcXkbSetGeometry function due to improper validation of the request length.

References
cve.org | nvd.nist.gov

Mitigation

Securing the access to the production network.
Please contact your service partner (service.tls@trumpf.com) for instructions on how to get automatically informed for the new major release 3.42.0 of the new TruControl software version.

Remediation

Retrieve instructions on how to deactivate the ssh access or activate the firewall on port 22 (SSH) of your laser.

Revision History

Version Date Summary
1 11/07/2022 12:43 Initial revision.
2 05/22/2025 15:03 Fix: quotation mark