The TRUMPF remote support infrastructure selects an outdated encryption algorithm when setting up communication channels for machines. This cannot be prevented for old machines. For most machines it is possible to change the encryption settings.
TruControl laser control software prior to version 1.60.0 uses an OpenSSH server version affected by CVE-2024-6387. The affected OpenSSH Server version could potentially lead to a remote code execution.
TruControl laser control software from versions 3.50.0 to 4.00.0.B use Linux kernel versions affected by CVE-2024-1086. The affected kernel vulnerability could lead to local privilege escalation.
The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60d) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes these vulnerabilities is available.
The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60b) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes this vulnerability is available.
Machines with a running and correctly installed mGuard hardware firewall cannot be exploited by this vulnerability if used as intended (according to the manual).
Update A, 2023-11-13
Removed CVE-2023-4701 because it was revoked.