Summary
The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60b) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes this vulnerability is available.Machines with a running and correctly installed mGuard hardware firewall cannot be exploited by this vulnerability if used as intended (according to the manual).
Update A, 2023-11-13
Removed CVE-2023-4701 because it was revoked.
Impact
An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.
Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full access on this workstation for an already authenticated user (logged in locally to the PC).
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| MonitoringAnalyzer V1.0<=V1.3 | MonitoringAnalyzer V1.0<=V1.3 | |
| Oseon V1.0.0<=V3.0.22 | Oseon V1.0.0<=V3.0.22 | |
| ProgrammingTube V1.0.1<=V4.6.3 | ProgrammingTube V1.0.1<=V4.6.3 | |
| TecZoneBend V18.02.R8<=V23.06.01 | TecZoneBend V18.02.R8<=V23.06.01 | |
| ToPsCalculation V14.00<=V22.00.00 | ToPsCalculation V14.00<=V22.00.00 | |
| Tops Unfold V05.03.00.00 | Tops Unfold V05.03.00.00 | |
| TruTops Cell Classic <=V09.09.02 | TruTops Cell Classic <=V09.09.02 | |
| TruTops Cell SW48 V01.00<=V02.26.0 | TruTops Cell SW48 V01.00<=V02.26.0 | |
| TruTops Mark 3D V01.00<=V06.01 | TruTops Mark 3D V01.00<=V06.01 | |
| TruTops V08.00<=V12.01.00.00 | TruTops V08.00<=V12.01.00.00 | |
| TruTopsBoost V06.00.23.00<=V16.0.22 | TruTopsBoost V06.00.23.00<=V16.0.22 | |
| TruTopsFab (inkl.TruTops Monitor) V15.00.23.00<=V22.8.25 | TruTopsFab (inkl.TruTops Monitor) V15.00.23.00<=V22.8.25 | |
| TruTopsFab_Storage_SmallStore V14.06.20<=V20.04.20.00 | TruTopsFab_Storage_SmallStore V14.06.20<=V20.04.20.00 | |
| TruTopsPrint V00.06.00<=V01.00 | TruTopsPrint V00.06.00<=V01.00 | |
| TruTopsPrintMultilaserAssistant >=V01.02 | TruTopsPrintMultilaserAssistant >=V01.02 | |
| TruTopsWeld V7.0.198.241<=V9.0.28148.1 | TruTopsWeld V7.0.198.241<=V9.0.28148.1 | |
| TrumpfLicenseExpert V1.5.2<=V1.11.1 | TrumpfLicenseExpert V1.5.2<=V1.11.1 | |
| TubeDesign V08.00<=V14.06.150 | TubeDesign V08.00<=V14.06.150 |
Vulnerabilities
Expand / Collapse allA heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
Mitigation
Implement general security best practices like network segmentation, endpoint protection and system hardening.
Restrict network access to the TRUMPF License Expert server component to required clients only by using firewalls or other suitable products.
Remediation
Get the latest version of the TRUMPF License Expert software (>= V2.0.0) at trumpf.com/de_DE/produkte/software/software-lizenzierung and install it on all affected servers and workstations.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 09/13/2023 12:00 | Initial revision. |
| 2 | 11/13/2023 12:00 | Update A |