Buffer Overflow Vulnerability Disrupts 3D PrintersVulnerability in Chitubox Anycubic Affects 3D Printer Users; No Fix Available
"The vulnerability CVE-2021-21948 is caused by an integer overflow, writing data into an incorrectly sized buffer causing a heap overflow. The CVSSv3 score for the vulnerability is 7.8. A malicious threat actor could create a specially crafted .gf file to trigger the vulnerability. However, for exploitation to occur, a user would have to interact with the malicious file," Martin Lee, outreach manager, EMEA at Cisco Talos, tells Information Security Media Group.
Talos is encouraging users to update these affected products as soon as possible: Anycubic Chitubox Anycubic Plug-in, version 1.0.0 and Chitubox Basic, version 1.8.1.
"Talos tested and confirmed this software is affected by this vulnerability," the researchers say.
Chitubox is a third-party slicing software for SLA, DLP and LCD resin-based 3D printers. Version 1.0 was released in 2017 by the Chinese company CBD-Tech. The vulnerability exists in the readDatHeadVec functionality of Anycubic Chitubox Anycubic Plug-in 1.0.0.
"The specific Anycubic plug-in allows the software to convert the output of the Chitubox slicer, or general format files, into the format expected by Anycubic's series of printers. These converted files are then used directly for all functionality provided by the printers," says Carl Hurd, security research engineering technical leader at Cisco Talos, who first discovered this vulnerability.
Taylor Gulley, senior application security consultant at nVisium, a Falls Church, Virginia-based application security provider, tells ISMG, "As you wouldn't normally be converting a file that you didn't slice yourself, this should be rare to come across in the wild.
The Cisco Talos researchers say that the overflow occurs due to an integer overflow, which is caused by using 32-bit registers instead of the extended 64-bit registers.
The common weakness enumeration, a community-developed list of software and hardware weakness types, describes a heap overflow condition as a buffer overflow in which the buffer can be overwritten and is allocated in the heap portion of memory. This means the buffer was allocated using a routine such as malloc(), a function used to assign a specified amount of memory for an array to be created.
"The imul instruction will truncate the value during the multiplication, losing the most significant 32 bits. This calculated size is used to allocate the correct size for the vector of GfDatHead_t. A very similar multiplication occurs and uses a 64-bit register for the multiplication, thus eliminating the possibility of an overflow, since both values are loaded as 32-bit values. This new value calculated is used in the thread as a length of data to read into the buffer sized using the value calculated, which is too small, resulting in a buffer overflow while reading the file contents into the buffer," the researchers say.
Gulley says buffer overflow vulnerabilities frequently result in code execution capabilities that can lead to machine takeover.
According to the research, Hurd discovered the buffer overflow on Sept. 28. One month later, on Oct. 29, the Cisco Talos team followed up. The company followed up over 45 days later and then did a final review on Dec. 13.
Cisco Talos says it is disclosing these issues despite no official fix being available, in accordance with Cisco's vulnerability disclosure policy. On Monday, the firm decided to publicly release details of its findings.
"We contact vendors once we have identified a vulnerability to share the details of our discovery and repeatedly attempt to make contact if we receive no reply. Ninety days following initial contact, we publicly disclose our findings," Lee says.
Talos also released snort rules 58233 and 58234 to detect attempts at exploitation of this vulnerability.
"Organizations should be aware that threat actors may seek to distribute malicious files that exploit this and similar vulnerabilities. Users should be reminded not to open unexpected file attachments or interact with emails of dubious origin," Lee says.
He says protection against threats such as these requires multiple overlapping layers of security, preventing malicious files from entering an organization, detecting the presence of malicious code following exploitation of a vulnerability, and remaining vigilant for indications of malicious traffic being transmitted over networks.
"No matter how effective organizations believe their defenses to be, everyone needs to prepare in advance their incident response plans and know how they will resolve an incident and swiftly restore their functions to normal," Lee says.
Gulley tells ISMG, "Incidents like this show that companies should stick to the open standard of gcode for describing machine movement. Standards increase compatibility and decrease the chance of flaws such as this happening. Complexity leads to a larger attack surface."
Supply Chain Threat
Third-party software such as Chitubox, which operates across multiple hardware devices, greatly expands the opportunity for vulnerabilities to exist due to the extensive testing needed to check every possible hardware/software combination, Bud Broomhead, CEO and founder of Viakoo, tells ISMG.
Broomhead says this is true of many types of IoT devices - 3D printers, IP cameras, smart building systems, etc. - where the software manufacturer does not control or have in-depth knowledge of the hardware devices it will be used with. Comprehensive cyber hygiene, such as automated firmware updates or use of certificates, is needed, he says, especially for IoT systems that involve hardware and software from multiple vendors to prevent the exploitation of "corner case" vulnerabilities.