VDE-2022-016 | CERT@VDE

2022-05-02 12:00 (CEST) VDE-2022-016

TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability

Share: Email | Twitter

ID

VDE-2022-016

Published

2022-05-02 12:00 (CEST)

Last update

2022-06-21 06:49 (CEST)

Vendor(s)

TRUMPF Laser GmbH
TRUMPF Werkzeugmaschinen SE + Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	TruTops Boost	V13.01 <= V13.05.
	TruTops Boost	= V13.08.21
	TruTops Fab	V22.01. <= V22.05.
	TruTops Fab	= V22.08.21
	TruTops Monitor	V22.01. <= V22.05.
	TruTops Monitor	= V22.08.21

Summary

A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.

CVE ID

CVE-2022-1300

Last Update:

Nov. 17, 2022, 11:18 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

Multiple Version of TRUMPF TruTops products expose a service function without necessary authentication. Execution of this function may result in unauthorized access to change of data or disruption of the whole service.

Details

nvd.nist.gov

Impact

The stated TRUMPF products implement a newly introduced service function that enables functionality intentionally restricted to service technicians via network access. Using this function without authentication, an attacker connected to the network could execute several commands on the host computer using elevated privileges.

Solution

Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link: https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ

Reported by

CERT@VDE coordinated with TRUMPF