Wednesday, February 24, 2021

Vulnerability Spotlight: Out-of-bounds read vulnerability in Slic3r could lead to information disclosure

Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an out-of-bounds read vulnerability in Slic3r's library. Slic3r is an open-source 3-D printing toolbox, mainly utilized for translating assorted 3-D printing model file types into machine code for a specific printer. The software uses libslic3er to perform most of the non-GUI-based processes such as reading various file formats, converting formats and outputting appropriate gcode for selected 3-D printer settings. An adversary could send a target a specially crafted obj file to cause an out-of-bounds condition.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Slic3r to disclose these vulnerabilities and ensure that an update is available.

Vulnerability details

Slic3r libslic3r Obj File TriangleMesh::TriangleMesh() out-of-bounds read vulnerability (TALOS-2020-1213/CVE-2020-28590)

An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted obj file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information. 


Versions tested

Talos tested and confirmed that these vulnerabilities affect Slic3r libslic3r, version 1.3.0 and Master Commit 92abbc42.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 56721, 56722

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.