VDE-2021-011

Vulnerability from csaf_trumpfsecokg - Published: 2021-03-22 08:59 - Updated: 2026-02-02 14:25
Summary
TRUMPF Laser GmbH: TruControl 2.14.0 to 3.14.0 affected by recent sudo vulnerability
Notes
Summary: TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
Impact: To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system. When logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system: - Data loss in the laser control - Standstill of production - Damage by change of the laser control Safety is not affected since it is controlled by an independent electromechanical safety mechanism.
Remediation: - Update to TruControl version 3.16.0 or higher - Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch
CVE-2021-3156

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-193 - Off-by-one Error
Vendor Fix - Update to TruControl version 3.16.0 or higher or - Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "the coordination and support with this publication.",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "To be able to exploit this vulnerability the attacker first needs to gain any kind of user access to the system.\n\nWhen logged on to the system the privilege escalation vulnerability can be exploited with following possible impacts/damages to the system:\n\n- Data loss in the laser control\n- Standstill of production\n- Damage by change of the laser control\n\nSafety is not affected since it is controlled by an independent electromechanical safety mechanism.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "- Update to TruControl version 3.16.0 or higher\n- Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "product.security@trumpf.com",
      "name": "Trumpf SE + Co. KG",
      "namespace": "https://www.trumpf.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2021-011: TRUMPF Laser GmbH: TruControl 2.14.0 to 3.14.0 affected by recent sudo vulnerability - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2021-011/"
      },
      {
        "category": "self",
        "summary": "VDE-2021-011: TRUMPF Laser GmbH: TruControl 2.14.0 to 3.14.0 affected by recent sudo vulnerability - CSAF",
        "url": "https://trumpf.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-011.json"
      },
      {
        "category": "external",
        "summary": "TRUMPF advisory overview at CERT@VDE",
        "url": "https://certvde.com/en/advisories/vendor/trumpf/"
      }
    ],
    "source_lang": "en",
    "title": "TRUMPF Laser GmbH: TruControl 2.14.0 to 3.14.0 affected by recent sudo vulnerability",
    "tracking": {
      "aliases": [
        "VDE-2021-011"
      ],
      "current_release_date": "2026-02-02T14:25:00.000Z",
      "generator": {
        "date": "2024-11-25T13:11:10.222Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.15"
        }
      },
      "id": "VDE-2021-011",
      "initial_release_date": "2021-03-22T08:59:00.000Z",
      "revision_history": [
        {
          "date": "2021-03-22T08:59:00.000Z",
          "number": "1.0.0",
          "summary": "initial revision"
        },
        {
          "date": "2025-04-10T13:00:00.000Z",
          "number": "2.0.0",
          "summary": "Fixed csaf reference URL and publisher information."
        },
        {
          "date": "2025-05-14T13:00:14.000Z",
          "number": "3.0.0",
          "summary": "Fix: added distribution"
        },
        {
          "date": "2026-02-02T14:25:00.000Z",
          "number": "4.0.0",
          "summary": "Fix: CSAF Document Alias had the wrong VDE-ID, changed revision versioning scheme to semver"
        }
      ],
      "status": "final",
      "version": "4.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "redpowerDirect",
                "product": {
                  "name": "Hardware redpowerDirect",
                  "product_id": "CSAFPID-11001"
                }
              },
              {
                "category": "product_name",
                "name": "TruDiode",
                "product": {
                  "name": "Hardware TruDiode",
                  "product_id": "CSAFPID-11002"
                }
              },
              {
                "category": "product_name",
                "name": "TruDisk",
                "product": {
                  "name": "Hardware TruDisk",
                  "product_id": "CSAFPID-11003"
                }
              },
              {
                "category": "product_name",
                "name": "TruFiber",
                "product": {
                  "name": "Hardware TruFiber",
                  "product_id": "CSAFPID-11004"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro2000",
                "product": {
                  "name": "Hardware TruMicro2000",
                  "product_id": "CSAFPID-11005"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro5000",
                "product": {
                  "name": "Hardware TruMicro5000",
                  "product_id": "CSAFPID-11006"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro6000",
                "product": {
                  "name": "Hardware TruMicro6000",
                  "product_id": "CSAFPID-11007"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro7000",
                "product": {
                  "name": "Hardware TruMicro7000",
                  "product_id": "CSAFPID-11008"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro8000",
                "product": {
                  "name": "Hardware TruMicro8000",
                  "product_id": "CSAFPID-11009"
                }
              },
              {
                "category": "product_name",
                "name": "TruMicro9000",
                "product": {
                  "name": "Hardware TruMicro9000",
                  "product_id": "CSAFPID-11010"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "2.14.0\u003c=3.14.0",
                    "product": {
                      "name": "TruControl 2.14.0\u003c=3.14.0",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "3.16.0",
                    "product": {
                      "name": "TruControl 3.16.0",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "TruControl"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "TRUMPF"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-31010"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008",
          "CSAFPID-32009",
          "CSAFPID-32010"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware redpowerDirect",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruDiode",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruDisk",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruFiber",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro2000",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro5000",
          "product_id": "CSAFPID-31006"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro6000",
          "product_id": "CSAFPID-31007"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11007"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro7000",
          "product_id": "CSAFPID-31008"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11008"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro8000",
          "product_id": "CSAFPID-31009"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11009"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 2.14.0\u003c=3.14.0 installed on Hardware TruMicro9000",
          "product_id": "CSAFPID-31010"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11010"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware redpowerDirect",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruDiode",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruDisk",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruFiber",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro2000",
          "product_id": "CSAFPID-32005"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro5000",
          "product_id": "CSAFPID-32006"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro6000",
          "product_id": "CSAFPID-32007"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11007"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro7000",
          "product_id": "CSAFPID-32008"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11008"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro8000",
          "product_id": "CSAFPID-32009"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11009"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "TruControl 3.16.0 installed on Hardware TruMicro9000",
          "product_id": "CSAFPID-32010"
        },
        "product_reference": "CSAFPID-52001",
        "relates_to_product_reference": "CSAFPID-11010"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3156",
      "cwe": {
        "id": "CWE-193",
        "name": "Off-by-one Error"
      },
      "notes": [
        {
          "category": "description",
          "text": "A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008",
          "CSAFPID-32009",
          "CSAFPID-32010"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-31010"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "- Update to TruControl version 3.16.0 or higher or\n- Please contact your service partner (service.tls@trumpf.com) for instructions on how to retrieve the patch",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008",
            "CSAFPID-31009",
            "CSAFPID-31010"
          ]
        }
      ],
      "title": "CVE-2021-3156"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.