Share: Email | Twitter

ID

VDE-2021-033

Published

2021-08-12 13:02 (CEST)

Last update

2021-08-12 13:02 (CEST)

Vendor(s)

TRUMPF Laser GmbH

Product(s)

Article No° Product Name Affected Version(s)
TruControl in redpowerDirect 1.04 < 3.16.0
TruControl in TruDiode 1.04 < 3.16.0
TruControl in TruDisk 1.04 < 3.16.0
TruControl in TruFiber 1.04 < 3.16.0
TruControl in TruMicro2000 1.04 < 3.16.0
TruControl in TruMicro5000 1.04 < 3.16.0
TruControl in TruMicro6000 1.04 < 3.16.0
TruControl in TruMicro7000 1.04 < 3.16.0
TruControl in TruMicro8000 1.04 < 3.16.0
TruControl in TruMicro9000 1.04 < 3.16.0
TruControl in TruPulse 1.04 < 3.16.0

Summary

TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:

CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612

In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:

CODESYS Advisory 2018-07

A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.

CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Link to advisory


CODESYS Advisory 2018-04

The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services

CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Link to advisory


CODESYS Advisory 2017-03
A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition

CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Link to advisory

Vulnerabilities



CVE-2018-10612
9.8
Last Update
Sept. 8, 2021, 9:06 a.m.
Severity
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Access Control (CWE-284)
Summary

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.

Details
nvd.nist.gov 
CVE-2019-9010
9.8
Last Update
Sept. 8, 2021, 8:50 a.m.
Severity
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS Gateway does not correctly verify the ownership of a communication channel. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.

Details
nvd.nist.gov 
CVE-2019-5105
7.5
Last Update
Sept. 8, 2021, 8:50 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).

Details
nvd.nist.gov 
CVE-2019-9012
7.5
Last Update
Sept. 8, 2021, 8:50 a.m.
Severity
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.

Details
nvd.nist.gov 
CVE-2021-29241
7.5
Last Update
Nov. 17, 2022, 1:09 p.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
NULL Pointer Dereference (CWE-476)
Summary
CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).
Details
nvd.nist.gov 
CVE-2019-9009
7.5
Last Update
Sept. 8, 2021, 8:50 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Improper Handling of Exceptional Conditions (CWE-755)
Summary

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

Details
nvd.nist.gov 
CVE-2021-29242
7.3
Last Update
Sept. 8, 2021, 8:49 a.m.
Severity
7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Weakness
Improper Input Validation (CWE-20)
Summary

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low level communication packages.

Details
nvd.nist.gov 
CVE-2020-7052
6.5
Last Update
Sept. 8, 2021, 8:50 a.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

Details
nvd.nist.gov 

Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of network access to the system.
When the system is reachable over the network these vulnerabilities can be exploited with following possible impacts/damages to the system:

  • Data loss in the laser control
  • Standstill of production
  • Damage by change of the laser control
  • Interception of sensitive data

Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Solution

  • We highly recommend updating to TruControl version 3.16.0 or higher as soon as possible
  • Please contact your service partner (service.tls@trumpf.com) for immediate instructions on how to retrieve the update

Reported by

CODESYS GmbH published the original reports.

TRUMPF Laser GmbH reported the vulnerability to CERT@VDE.