Man
Professional
- Messages
- 3,113
- Reaction score
- 678
- Points
- 113
Malicious 3MF models can go undetected for a long time.
Security researchers have discovered a vulnerability in the popular 3D printing software UltiMaker Cura. The problem was identified by Checkmarx specialists, who analyzed the source code during security testing as part of their internal vulnerability search program.
The security flaw, registered as CVE-2024-8374, is related to the ability to execute arbitrary code via the 3MF file format used for 3D modeling and printing. Cura, one of the most popular open-source solutions for cutting 3D models, turned out to be vulnerable to code injection when loading 3MF files.
The researchers found that the problem lies in the "convertSavitarNodeToUMNode" method, where there is no validation of the entered data when using the "eval" function. This allows attackers to inject arbitrary commands into 3MF files that are automatically executed when they are uploaded to Cura, even without starting the slicing process. Thus, the modified model can remain completely legitimate, which makes it an ideal tool for attacking users.
Experts noted that this vulnerability is particularly dangerous in the context of attacks on supply chains. Malicious models can spread through popular 3D model databases such as Printables and Thingiverse, or through open source repositories, posing risks to sectors related to national security and healthcare.
The UltiMaker team promptly responded to the problem report and released a fix within a day. Version 5.8.0-beta.1, released on July 16, 2024, eliminated the "eval" call and implemented more secure data processing using strict Boolean analysis.
According to researchers from Checkmarx, the interaction with the UltiMaker team was high-level, which made it possible to eliminate the problem in a timely manner and prevent its possible use by attackers. The improved version of Cura is now available to all users, and the company strongly recommends updating to the stable version "5.8.0", which was released on August 1, 2024.
Source
Security researchers have discovered a vulnerability in the popular 3D printing software UltiMaker Cura. The problem was identified by Checkmarx specialists, who analyzed the source code during security testing as part of their internal vulnerability search program.
The security flaw, registered as CVE-2024-8374, is related to the ability to execute arbitrary code via the 3MF file format used for 3D modeling and printing. Cura, one of the most popular open-source solutions for cutting 3D models, turned out to be vulnerable to code injection when loading 3MF files.
The researchers found that the problem lies in the "convertSavitarNodeToUMNode" method, where there is no validation of the entered data when using the "eval" function. This allows attackers to inject arbitrary commands into 3MF files that are automatically executed when they are uploaded to Cura, even without starting the slicing process. Thus, the modified model can remain completely legitimate, which makes it an ideal tool for attacking users.
Experts noted that this vulnerability is particularly dangerous in the context of attacks on supply chains. Malicious models can spread through popular 3D model databases such as Printables and Thingiverse, or through open source repositories, posing risks to sectors related to national security and healthcare.
The UltiMaker team promptly responded to the problem report and released a fix within a day. Version 5.8.0-beta.1, released on July 16, 2024, eliminated the "eval" call and implemented more secure data processing using strict Boolean analysis.
According to researchers from Checkmarx, the interaction with the UltiMaker team was high-level, which made it possible to eliminate the problem in a timely manner and prevent its possible use by attackers. The improved version of Cura is now available to all users, and the company strongly recommends updating to the stable version "5.8.0", which was released on August 1, 2024.
Source
