VDE-2025-078

Vulnerability from csaf_trumpfsecokg - Published: 2025-08-25 06:00 - Updated: 2025-08-29 10:00
Summary
TRUMPF: Remote support uses an outdated encryption algorithm
Severity
High
Notes
Summary: The TRUMPF remote support infrastructure selects an outdated encryption algorithm when setting up communication channels for machines. This cannot be prevented for old machines. For most machines it is possible to change the encryption settings.
Impact: In high-traffic sessions, an attacker with access to the network stream may be able to sniff and decrypt the data exchanged during a remote support session. High-traffic sessions typically only contain VNC data, as the machine's screen content is transmitted. A potential attack may also allow the decryption of large software update sessions, which contain software update packages sent from the TRUMPF infrastructure to the machine. However, all vulnerable devices have been excluded from the software update until a secure state is reinstated.
Disclaimer: This document is provided on an \"AS IS\" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. TRUMPF SE + Co. KG reserves the right to change or update this document at any time.
Remediation: Since August 8th, 2025, an automated configuration update is available for TRUMPF machines with a Telepresence Box 7.0.0 and newer. It will automatically be applied when activating a remote session from the machine. A TRUMPF technician doesn't need to join the session. Please refer to your operator's manual on how to activate a remote session on your TRUMPF machine. The update takes up to 5 minutes. After a successful update, the remote session will automatically be closed. If the session is not automatically closed, then the update has already been applied or is not needed at the machine. Machines using a Telepresence Box 6.x and older can't use secure encryption. All customers still connecting to TRUMPF with such a device will be identified by TRUMPF and contacted with further information. It is possible to order a new Telepresence Box via your sales representative. In such a case, please contact the TRUMPF Service for installation. Please note that from July 1st, 2026, onward machines with a Telepresence Box 6.x and older will not be able to connect to the TRUMPF infrastructure any longer.
CVE-2016-2183

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Vendor Fix Since August 8st, 2025, an automated configuration update is available for TRUMPF machines with a Telepresence Box 7.0.0 and newer. It will automatically be applied when activating a remote session from the machine. It is not necessary for a TRUMPF technician to join the session.
No Fix Planned Machines using a Telepresence Box 6.x and older can't use secure encryption. All customers still connecting to TRUMPF with such a device will be identified by TRUMPF and contacted with further information. It is possible to order a new Telepresence Box via your sales representative. In such a case, please contact the TRUMPF Service for installation.
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "aggregate_severity": {
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The TRUMPF remote support infrastructure selects an outdated encryption algorithm when setting up communication channels for machines. This cannot be prevented for old machines. For most machines it is possible to change the encryption settings.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "In high-traffic sessions, an attacker with access to the network stream may be able to sniff and decrypt the data exchanged during a remote support session. High-traffic sessions typically only contain VNC data, as the machine\u0027s screen content is transmitted. A potential attack may also allow the decryption of large software update sessions, which contain software update packages sent from the TRUMPF infrastructure to the machine. However, all vulnerable devices have been excluded from the software update until a secure state is reinstated.",
        "title": "Impact"
      },
      {
        "category": "legal_disclaimer",
        "text": "This document is provided on an \\\"AS IS\\\" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. TRUMPF SE + Co. KG reserves the right to change or update this document at any time.",
        "title": "Disclaimer"
      },
      {
        "category": "description",
        "text": "Since August 8th, 2025, an automated configuration update is available for TRUMPF machines with a Telepresence Box 7.0.0 and newer. It will automatically be applied when activating a remote session from the machine. A TRUMPF technician doesn\u0027t need to join the session. Please refer to your operator\u0027s manual on how to activate a remote session on your TRUMPF machine.\n\nThe update takes up to 5 minutes. After a successful update, the remote session will automatically be closed. If the session is not automatically closed, then the update has already been applied or is not needed at the machine.\n\nMachines using a Telepresence Box 6.x and older can\u0027t use secure encryption. All customers still connecting to TRUMPF with such a device will be identified by TRUMPF and contacted with further information. It is possible to order a new Telepresence Box via your sales representative. In such a case, please contact the TRUMPF Service for installation.\n\nPlease note that from July 1st, 2026, onward machines with a Telepresence Box 6.x and older will not be able to connect to the TRUMPF infrastructure any longer.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "product.security@trumpf.com",
      "name": "Trumpf SE + Co. KG",
      "namespace": "https://www.trumpf.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Messages to TRUMPF PSIRT",
        "url": "https://www.trumpf.com/en_GB/meta/security-with-trumpf/message-to-psirt/"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for TRUMPF SE + Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/trumpf/"
      },
      {
        "category": "self",
        "summary": "VDE-2025-078: TRUMPF: Remote support uses an outdated encryption algorithm - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-078"
      },
      {
        "category": "self",
        "summary": "VDE-2025-078: TRUMPF: Remote support uses an outdated encryption algorithm - CSAF",
        "url": "https://trumpf.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-078.json"
      },
      {
        "category": "external",
        "summary": "CVE-2016-2183 - NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
      }
    ],
    "title": "TRUMPF: Remote support uses an outdated encryption algorithm",
    "tracking": {
      "aliases": [
        "VDE-2025-078"
      ],
      "current_release_date": "2025-08-29T10:00:00.000Z",
      "generator": {
        "date": "2025-08-29T08:45:17.816Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.32"
        }
      },
      "id": "VDE-2025-078",
      "initial_release_date": "2025-08-25T06:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-08-25T06:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial version"
        },
        {
          "date": "2025-08-29T10:00:00.000Z",
          "number": "1.1.0",
          "summary": "Changed affected Product from 7.0.0\u003c10.0.0 to 7.0.0\u003c8.0.0"
        }
      ],
      "status": "final",
      "version": "1.1.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "branches": [
                      {
                        "category": "product_version_range",
                        "name": "\u003c08.08.2025",
                        "product": {
                          "name": "Telepresence Box 7.0.0\u003c8.0.0 older than 08.08.2025",
                          "product_id": "CSAFPID-0002"
                        }
                      },
                      {
                        "category": "product_version_range",
                        "name": "\u003e=08.08.2025",
                        "product": {
                          "name": "Telepresence Box 7.0.0\u003c8.0.0 newer than 08.08.202508.08.2025",
                          "product_id": "CSAFPID-0001"
                        }
                      }
                    ],
                    "category": "product_version_range",
                    "name": "7.0.0\u003c8.0.0"
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c7.0.0",
                    "product": {
                      "name": "Telepresence Box \u003c7.0.0",
                      "product_id": "CSAFPID-0004"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003e=8.0.0",
                    "product": {
                      "name": "Telepresence Box \u003e= 8.0.0",
                      "product_id": "CSAFPID-0005"
                    }
                  }
                ],
                "category": "product_family",
                "name": "Telepresence Box"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "TRUMPF SE + Co. KG"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-2183",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "description",
          "text": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0001"
        ],
        "known_affected": [
          "CSAFPID-0002",
          "CSAFPID-0004"
        ],
        "known_not_affected": [
          "CSAFPID-0005"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-08T06:00:00.000Z",
          "details": "Since August 8st, 2025, an automated configuration update is available for TRUMPF machines with a Telepresence Box 7.0.0 and newer. It will automatically be applied when activating a remote session from the machine. It is not necessary for a TRUMPF technician to join the session. ",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "no_fix_planned",
          "details": "Machines using a Telepresence Box 6.x and older can\u0027t use secure encryption. All customers still connecting to TRUMPF with such a device will be identified by TRUMPF and contacted with further information. It is possible to order a new Telepresence Box via your sales representative. In such a case, please contact the TRUMPF Service for installation.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0002",
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "CVE-2016-2183"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.