Back to overview

Multiple TRUMPF products prone to nftables server vulnerabilities

VDE-2024-034
Last update
04/10/2025 15:00
Published at
06/25/2024 12:00
Vendor(s)
Trumpf SE + Co. KG
External ID
VDE-2024-034
CSAF Document
Download

Summary

TruControl laser control software from versions 3.50.0 to 4.00.0.B use Linux kernel versions affected by CVE-2024-1086. The affected kernel vulnerability could lead to local privilege escalation.

Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system.
When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:
* Data loss in the laser control
* Standstill of production
* Damage by change of the laser control

Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Affected Product(s)

Model no. Product name Affected versions
TRUMPF Laser SE TruDiode TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruDisk TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruFiber TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 2000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 5000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 6000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 7000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 8000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruMicro 9000 TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE TruPulse TruControl >=3.50.0 | <=4.00.0 B
TRUMPF Laser SE redpowerDirect TruControl >=3.50.0 | <=4.00.0 B

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Use After Free (CWE-416)
Summary

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

References
cve.org | nvd.nist.gov

Remediation

  • Update to the new release 4.04.0 of the TruControl software version.
  • Please contact your service partner (service.tls@trumpf.com) for instructions on how to get automatically informed for the new major release 4.04.0 of the TruControl software version.

Revision History

Version Date Summary
1 06/25/2024 12:00 Initial revision.
2 11/06/2024 12:27 Fix: correct certvde domain, added self-reference
3 04/10/2025 15:00 Fixed CSAF self-reference URL