CVE-2024-8374: UltiMaker Cura Patched Against Arbitrary Code Execution Vulnerability
Security researchers have uncovered a vulnerability in the popular 3D printing software UltiMaker Cura. The issue was identified by specialists at Checkmarx, who analyzed the source code during a security test as part of their internal vulnerability discovery program.
The security flaw, registered as CVE-2024-8374, involves the potential for arbitrary code execution via the 3MF file format, widely used in 3D modeling and printing. Cura, one of the most popular open-source slicing solutions for 3D models, was found to be susceptible to code injection upon loading 3MF files.
Researchers discovered that the issue lies within the “convertSavitarNodeToUMNode” method, which lacks input validation when utilizing the “eval” function. This gap allows attackers to embed arbitrary commands within 3MF files, which execute automatically when loaded into Cura, even without initiating the slicing process. As a result, a tampered model can appear completely legitimate, making it an ideal tool for targeting unsuspecting users.
Experts emphasized that this vulnerability poses significant risk within the context of supply chain attacks. Malicious models could be distributed through popular 3D model repositories, such as Printables and Thingiverse, or open-source repositories, creating security risks for sectors tied to national security and healthcare.
The UltiMaker team responded swiftly to the vulnerability report, releasing a patch within a day. In version “5.8.0-beta.1,” launched on July 16, 2024, the “eval” call was removed, and a more secure data handling method using strict logic analysis was implemented.
According to Checkmarx researchers, collaboration with the UltiMaker team was highly effective, enabling timely mitigation of the issue and preventing potential exploitation by malicious actors. The improved version of Cura is now available to all users, and the company strongly recommends updating to the stable version “5.8.0,” released on August 1, 2024.