| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| TruControl installed on redpowerDirect | < 1.60.0 | |
| TruControl installed on TruDiode | < 1.60.0 | |
| TruControl installed on TruDisk | < 1.60.0 | |
| TruControl installed on TruMicro 2000 | < 1.60.0 | |
| TruControl installed on TruMicro 5000 | < 1.60.0 | |
| TruControl installed on TruMicro 6000 | < 1.60.0 | |
| TruControl installed on TruMicro 7000 | < 1.60.0 | |
| TruControl installed on TruMicro 8000 | < 1.60.0 | |
| TruControl installed on TruMicro 9000 | < 1.60.0 | |
| TruControl installed on TruPulse | < 1.60.0 |
TruControl laser control software prior to version 1.60.0 uses an OpenSSH server version affected by CVE-2024-6387. The affected OpenSSH Server version could potentially lead to a remote code execution.
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
To be able to exploit this vulnerability the attacker first needs to gain any kind of network access to the system. The remote code execution vulnerability enables the attacker a potential access into the laser control system which could lead to following possible impacts/damages to the system:
Damage by change of the laser control Safety is not affected since it is controlled by an independent electromechanical safety mechanism.
Remediation
Update to first fixed version 1.06.00 or ideally to the newest release 04.04.00.
Please contact your service partner (service.tls@trumpf.com) for instructions on how to get automatically informed for the newest major release 4.04.0 of the TruControl software version
CERT@VDE coordinated with TRUMPF SE