Share: Email | Twitter

ID

VDE-2024-040

Published

2024-08-26 13:00 (CEST)

Last update

2024-08-22 15:36 (CEST)

Vendor(s)

TRUMPF SE

Product(s)

Article No° Product Name Affected Version(s)
TruControl installed on redpowerDirect < 1.60.0
TruControl installed on TruDiode < 1.60.0
TruControl installed on TruDisk < 1.60.0
TruControl installed on TruMicro 2000 < 1.60.0
TruControl installed on TruMicro 5000 < 1.60.0
TruControl installed on TruMicro 6000 < 1.60.0
TruControl installed on TruMicro 7000 < 1.60.0
TruControl installed on TruMicro 8000 < 1.60.0
TruControl installed on TruMicro 9000 < 1.60.0
TruControl installed on TruPulse < 1.60.0

Summary

TruControl laser control software prior to version 1.60.0 uses an OpenSSH server version affected by CVE-2024-6387. The affected OpenSSH Server version could potentially lead to a remote code execution.


Last Update:

Aug. 30, 2024, 9:21 a.m.

Weakness

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')  (CWE-362) 

Summary

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.


Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of network access to the system. The remote code execution vulnerability enables the attacker a potential access into the laser control system which could lead to following possible impacts/damages to the system:

  • Data loss in the laser control
  • Standstill of production

Damage by change of the laser control Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Solution

Remediation

Update to first fixed version 1.06.00 or ideally to the newest release 04.04.00.
Please contact your service partner (service.tls@trumpf.com) for instructions on how to get automatically informed for the newest major release 4.04.0 of the TruControl software version

Reported by

CERT@VDE coordinated with TRUMPF SE