VDE-2022-016

Vulnerability from csaf_trumpfsecokg - Published: 2022-05-02 10:00 - Updated: 2022-05-02 10:00
Summary
TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability
Notes
Summary: A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.
Impact: The stated TRUMPF products implement a newly introduced service function that enables functionality intentionally restricted to service technicians via network access. Using this function without authentication, an attacker connected to the network could execute several commands on the host computer using elevated privileges.
Remediation: Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link: https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ
CVE-2022-1300

Multiple Version of TRUMPF TruTops products expose a service function without necessary authentication. Execution of this function may result in unauthorized access to change of data or disruption of the whole service.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 - Missing Authentication for Critical Function
Vendor Fix Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link: https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ
References
Acknowledgments
CERT@VDE certvde.com
Honeywell M. Ankith
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "M. Ankith"
        ],
        "organization": "Honeywell",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The stated TRUMPF products implement a newly introduced service function that enables functionality intentionally restricted to service technicians via network access. Using this function without authentication, an attacker connected to the network could execute several commands on the host computer using elevated privileges.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link:\u00a0https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "product.security@trumpf.com",
      "name": "Trumpf SE + Co. KG",
      "namespace": "https://www.trumpf.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Trumpf SE + Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/trumpf"
      },
      {
        "category": "self",
        "summary": "VDE-2022-016: TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-016/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-016: TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability - CSAF",
        "url": "https://trumpf.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-016.json"
      }
    ],
    "title": "TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability",
    "tracking": {
      "aliases": [
        "VDE-2022-016"
      ],
      "current_release_date": "2022-05-02T10:00:00.000Z",
      "generator": {
        "date": "2025-05-28T12:09:04.736Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.26"
        }
      },
      "id": "VDE-2022-016",
      "initial_release_date": "2022-05-02T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-05-02T10:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version",
                    "name": "V13.08.21",
                    "product": {
                      "name": "TruTops Boost V13.08.21",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "V13.01\u003c=V13.05.",
                    "product": {
                      "name": "TruTops Boost V13.01\u003c=V13.05.",
                      "product_id": "CSAFPID-51002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "TruTops Boost"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "V22.01.\u003c=V22.05.",
                    "product": {
                      "name": "TruTops Fab V22.01.\u003c=V22.05.",
                      "product_id": "CSAFPID-51003"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "V22.08.21",
                    "product": {
                      "name": "TruTops Fab V22.08.21",
                      "product_id": "CSAFPID-51004"
                    }
                  }
                ],
                "category": "product_name",
                "name": "TruTops Fab"
              },
              {
                "branches": [
                  {
                    "category": "product_version",
                    "name": "V22.08.21",
                    "product": {
                      "name": "TruTops Monitor V22.08.21",
                      "product_id": "CSAFPID-51005"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "V22.01.\u003c=V22.05.",
                    "product": {
                      "name": "TruTops Monitor V22.01.\u003c=V22.05.",
                      "product_id": "CSAFPID-51006"
                    }
                  }
                ],
                "category": "product_name",
                "name": "TruTops Monitor"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Trumpf"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003",
          "CSAFPID-51004",
          "CSAFPID-51005",
          "CSAFPID-51006"
        ],
        "summary": "Affected products "
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1300",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "description",
          "text": "Multiple Version of TRUMPF TruTops products expose a service function without necessary authentication. Execution of this function may result in unauthorized access to change of data or disruption of the whole service.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003",
          "CSAFPID-51004",
          "CSAFPID-51005",
          "CSAFPID-51006"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Use the updated versions of the TRUMPF products that will be available via your service channel shortly or the hotfix, on following link:\u00a0https://files.trumpf.com/w/LmhlkCA74heAIdS4GvJDDHqirMU0dpXbTRr7Erw8CXBvQ",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002",
            "CSAFPID-51003",
            "CSAFPID-51004",
            "CSAFPID-51005",
            "CSAFPID-51006"
          ]
        }
      ],
      "title": "CVE-2022-1300"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.