Skip to content

Instantly share code, notes, and snippets.

@VcuCyber

VcuCyber/CVEs info.txt

Last active May 2, 2024 06:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save VcuCyber/51075894d1728db07fc2df286c003df9 to your computer and use it in GitHub Desktop.
Save VcuCyber/51075894d1728db07fc2df286c003df9 to your computer and use it in GitHub Desktop.
Download ZIP
Remote attack vulnerabilities on xsTech CNC router
Raw
CVEs info.txt
=================================================
[1] CVE-2024-22807 --> Erase flash memory sector
=================================================
[Description]
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6
allows attackers to erase a critical sector of the flash memory,
causing the machine to lose network connectivity and suffer from
firmware corruption.
> ------------------------------------------
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board. - Tormach PathPilot Control System Version 2.9.6
>
> ------------------------------------------
>
> [Affected Component]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board Memory, Firmware of the xsTECH CNC Router.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact]
> Denial of Service
>
> ------------------------------------------
>
> [Attack Vectors]
The attack involves executing commands to erase a vital flash memory sector,
causing network configuration loss and firmware corruption.
The erasure disconnects the machine from the network and corrupts its firmware,
leading to broader operational failures. The CNC router cannot connect to the network,
disrupting remote management and network-dependent operations.
The router's basic operational functionality is compromised,
potentially requiring significant intervention to restore functionality, such as re-flashing the firmware.
>
> ------------------------------------------
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
========================================================================
[2] CVE-2024-22808 --> Overwriting the card's name in the device memory
========================================================================
[Description]
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6
allows attackers to cause a Denial of Service (DoS) by disrupting the
communication between the PathPilot controller and the CNC router via
overwriting the card's name in the device memory.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board Memory. - Tormach PathPilot Control System Version 2.9.6
>
> ------------------------------------------
>
> [Affected Component]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
>-------------------------------------------
>
> [Impact]
> Denial of Service
>
> ------------------------------------------
>
> [Attack Vectors]
The primary attack vector is directly overwriting the card's name
in the device memory, potentially causing identification or operational issues.
After overwriting the card name, the attacker initiates a restart of the machine
and continues to inject the new name using an iterative injection technique, perpetuating the disruption.
>
> ------------------------------------------
>
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
>
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
>
=======================================================================
[3] CVE-2024-22809 --> Unauthorized access to the G-code shared folder
=======================================================================
[Description]
Incorrect access control in Tormach xsTECH CNC Router, PathPilot
controller v2.9.6 allows attackers to access the G code's shared folder
and view sensitive information.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> PathPilot Controller (Version 2.9.6). - PathPilot Controller (Version 2.9.6).
>
> ------------------------------------------
>
> [Affected Component]
> PathPilot Controller (Version 2.9.6).
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact]
> Information Disclosure
>
> ------------------------------------------
>
> [Attack Vectors]
Gaining unauthorized access to the shared folder over the network to access G code files.
The attacker aims to pilfer the G code files containing proprietary and valuable manufacturing information.
The stolen G code files could be sold to competitors, leading to a significant competitive disadvantage
and financial losses. The unauthorized distribution of proprietary G code files to competitors could lead to
financial harm and erosion of market position. Also, this access allows the attacker to inject malicious code into the G-code files, which can alter the operations
of the CNC machinery and lead to the production of defective products.
In addition, the attacker could deploy ransomware to encrypt the G code files,
making them unusable for CNC operations.
>
> ------------------------------------------
>
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
>
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
======================================================================
[4] CVE-2024-22811 --> Overwriting Hostmot2 cookie
======================================================================
[Description]
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6, allows attackers to cause
a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router
via overwriting the Hostmot2 configuration cookie in the device memory.
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> xsTECH CNC Router, PathPilot Controller, Torstep Board - Tormach PathPilot Control System Version 2.9.6
>
> ------------------------------------------
>
> [Affected Component]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board Memory.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
>-------------------------------------------
>
> [Impact]
> Denial of Service
>
> ------------------------------------------
>
> [Attack Vectors]
The primary attack vector is the ability to overwrite the Hostmot2 configuration cookie in the device memory.
After overwriting the cookie, the attacker initiates a restart of the machine and continuously injects
the new cookie using an iterative injection technique to disrupt communication and induce
a Denial of Service (DoS).
>
> ------------------------------------------
>
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
>
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
======================================================================
[5] CVE-2024-22813 --> Overwriting IP address in the device's memory
======================================================================
[Description]
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6
allows attackers to overwrite the hardcoded IP address in the device memory,
disrupting network connectivity between the router and the controller.
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board Memory. - Tormach PathPilot Control System Version 2.9.6
>
> ------------------------------------------
>
> [Affected Component]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
>-------------------------------------------
>
> [Impact]
> Denial of Service
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker can directly change the hardcoded IP address in the device's memory,
disrupting the network connectivity. Leading to production delays and operational inefficiencies.
>
> ------------------------------------------
>
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
>
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
======================================================================
[6] CVE-2024-22815 --> Sabotage Attack
======================================================================
[Description]
An issue in the communication protocol of Tormach xsTECH CNC Router,
PathPilot Controller v2.9.6 allows attackers to cause a Denial of
Service (DoS) via crafted commands.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Tormach
>
> ------------------------------------------
>
> [Affected Product Code Base]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board Memory. - Tormach PathPilot Control System Version 2.9.6
>
> ------------------------------------------
>
> [Affected Component]
> xsTECH CNC Router, PathPilot Controller (Version 2.9.6), Torstep Board.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
>-------------------------------------------
>
> [Impact]
> Denial of Service
> Physical Damage
> ------------------------------------------
>
> [Attack Vectors]
> The primary attack vector sends manipulated writing commands to the machine memory(Torstep board),
causing the xsTECH CNC Router to behave erratically or crash. By fuzzing the machine with manipulated writing commands,
attackers can cause it to crash during the design process, interrupting normal operations.
The attack also includes causing the spindle to move while the machine is idle, which can be a safety hazard and lead to damage.
>
> ------------------------------------------
>
> [Discoverer]
> Yahya Forihat (VCU), Irfan Ahmed (VCU)
>
> ------------------------------------------
>
> [Reference]
> https://tormach.com/machines/routers/xstech-router.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment