CVE-2024-51330

Vulnerability

Description

An issue in UltiMaker Cura versions 4.41, 5.8.1 and before allows a local attacker to execute arbitrary code via an unencrypted inter-process communication (IPC) mechanism [1]. The Cura application communicates with CuraEngine (the slicing process) over localhost using the libArcus protocol on port 49674 [1]. This IPC carries a bidirectional flow of data essential to the 3D printing process, including mesh data (binary representation of the 3D model's geometry) and printing settings transmitted as plaintext [1].

Exploitation

The vulnerability can be exploited by a local attacker with access to the machine running Cura [1]. Because the IPC is unencrypted and occurs over the localhost network stack, an attacker can intercept or inject data into the communication channel. The printing settings, sent as plaintext, are easily modifiable in real-time [1]. The attacker could modify these settings or the G-code instructions that CuraEngine generates based on the mesh and settings, potentially altering printer behavior [1].

Impact

Successful exploitation allows a local attacker to execute arbitrary code on the system [description]. By tampering with the IPC data, the attacker could manipulate G-code sent to Ultimaker 3D Printers, leading to unintended printer actions or other malicious outcomes [1].

Mitigation

As of publication, no specific patch or security update is mentioned in the reference. Users should limit local access to systems running Cura and monitor IPC traffic on localhost. It is recommended to apply any future updates from UltiMaker that address this vulnerability.