Jump to content

Ultimaker 3 Extended - CVE-2021-23017 nginx Vulnerability


noverby

Recommended Posts

Posted · Ultimaker 3 Extended - CVE-2021-23017 nginx Vulnerability

Good day folks!
 

We utilize Qualys to scan our network for security vulnerabilities, and a recent scan returned a hit for CVE-2021-23017, which seems to be a fairly nasty nginx vulnerability on our Ultimaker 3 Extended running firmware version 5.3.0.  I've been tasked by our security group to find out if the fix for that vulnerability is going to be backported into the version of nginx in use on the device?

 

Thanks!

  • Link to post
    Share on other sites

    Posted · Ultimaker 3 Extended - CVE-2021-23017 nginx Vulnerability

    @noverby Thanks for bringing this to our attention. We checked the vulnerability and it's only applicable when a certain configuration option in nginx is active. In our UM3 printers that option is not present, so this CVE is not applicable.

    I'll make a note to update nginx in a next release, but because it has no impact on our printers we won't rush a new release.

    • Like 1
    Link to post
    Share on other sites

    Posted (edited) · Ultimaker 3 Extended - CVE-2021-23017 nginx Vulnerability

    Hello! Could you please also comment on JQuery and nginx ( outdated versions ) for 7.0.0.0 ( Ultimaker S5 ). We are also have complains from our IT department due to firmware vulnerabilities. Will it be updated in the next patch? Thank you!

    Edited by esertuk
  • Link to post
    Share on other sites

    Posted (edited) · Ultimaker 3 Extended - CVE-2021-23017 nginx Vulnerability

    @esertuk Just like @CarloK said above none of our printers are using the configuration option that allows for that particular exploit, so we are not rushing to include a new version. Nor are we currently aware of any CVE for nginx that we do expose our users to since all require specific configurations we don't use). We do asses security concerns on an ongoing basis, I imagine you could contact support and request our latest security assessment documentation.

     

    I think the Jquery CVE's concerning XSS are a valid concern (albeit with the low impact of at worst (re-)starting a print, not retrieval of information AFAIK).
    The S3 and the S5 have the option to enable the firewall, you can still use the cloud platform if you do but none of the software running on the printer is exposed to attackers on your internal network. This should alleviate any concerns from your IT department.

    Edit: Adding up-sell, FTW? 😛
    If your organization subscribes to Ultimaker Essentials your IT department can block access to the printer settings by configuring a pin code and enable the firewall on all printers remotely.
    // Now I feel dirty, you can just enable the firewall and tell everyone to leave it on.

    Edited by robinmdh
    adding the up-sell
  • Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
    • Our picks

      • UltiMaker Cura 5.8 Stable released 🎉
        In the Cura 5.8 stable release, everyone can now tune their Z seams to look better than ever. Method series users get access to new material profiles, and the base Method model now has a printer profile, meaning the whole Method series is now supported in Cura!
        • 5 replies
      • Introducing the UltiMaker Factor 4
        We are happy to announce the next evolution in the UltiMaker 3D printer lineup: the UltiMaker Factor 4 industrial-grade 3D printer, designed to take manufacturing to new levels of efficiency and reliability. Factor 4 is an end-to-end 3D printing solution for light industrial applications
          • Thanks
          • Like
        • 3 replies
    ×
    ×
    • Create New...