Welcome! Log In Create A New Profile

Advanced

Vulnerability Disclosure

Posted by user1001 
Forum List Message List New Topic
user1001
Vulnerability Disclosure
May 24, 2018 09:54AM
Dear Marlin Community,

As the issue tracking of the Marlin Firmware are public github issues, I did not want to disclose a vulnerability of the firmware directly there.

Can someone please point me to a maintainer or responsible person with whom I could discuss further steps about the disclosure?

Thank you in advance.
Best
Felix
Reply Quote
Dust
Re: Vulnerability Disclosure
May 24, 2018 10:35AM
I smell BS...

Since marlin is not network enabled.
And hacking into it would get you no were at all.

Edited 1 time(s). Last edit at 05/24/2018 10:36AM by Dust.
Reply Quote
user1001
Re: Vulnerability Disclosure
May 24, 2018 10:43AM
Of course it is not network enabled. But It will parse and handle GCode, which can be malicious.

With control over the firmware, a lot of nasty things can be done:
e.g. [pdfs.semanticscholar.org]
Reply Quote
Roxy
Re: Vulnerability Disclosure
May 24, 2018 04:42PM
Marlin is Open Source. The whole community works together to improve Marlin.

Please post your concerns in this thread, and the community will work together to assess and mitigate the 'threat'.
Or better yet... Please create an issue at [github.com] If the issue is real, it will get fixed ASAP.

Security Through Obscurity Is Not an Answer: [www.pearsonitcertification.com]

Edited 3 time(s). Last edit at 05/24/2018 04:49PM by Roxy.
Reply Quote
Roxy
Re: Vulnerability Disclosure
May 24, 2018 05:28PM
The good news is... If you are worried about what firmware is in your printer... You can keep a version of it that you trust on your SECURE computer, and reflash it before each and every print.

But my guess is, most hobbiest's aren't worried about somebody altering the firmware on their printer.
Reply Quote
Roberts_Clif
Re: Vulnerability Disclosure
May 24, 2018 08:27PM
Not worried about anyone hacking Marlin source code, Their are many programmers watching the new versions of Marlins source code very closely.
Reply Quote
user1001
Re: Vulnerability Disclosure
May 25, 2018 03:13AM
That is exactly what we did and we found a vulnerability where Gcode is not handled correctly. The exploit allows more capabilities than what can be achieved with Gcode commands.
My question is: How to fix this? Just a pull request agains the github repo?
It might be useful to coordinate it with a release, that affected, worried users could install the patch in a timely manner.
Reply Quote
Roxy
Re: Vulnerability Disclosure
May 26, 2018 11:57AM
Yes... Make a Pull Request with the appropriate changes. And be sure to give a good description for what is being fixed.
Reply Quote
Roxy
Re: Vulnerability Disclosure
May 26, 2018 12:00PM
Quote
Roberts_Clif
Not worried about anyone hacking Marlin source code, Their are many programmers watching the new versions of Marlins source code very closely.

And in fact... typically people do not share GCode files. They share .STL files and each person slices that file for their printer.

About the only time we share GCode files is when we have some problem and it requires a lot of state information to be setup correctly to see it. And in those cases, we try to edit out as much of the file as we can prior to sharing it.
Reply Quote
Roberts_Clif
Re: Vulnerability Disclosure
May 26, 2018 12:13PM
Quote
Roxy
And in fact... typically people do not share GCode files. They share .STL files and each person slices that file for their printer.

About the only time we share GCode files is when we have some problem and it requires a lot of state information to be setup correctly to see it. And in those cases, we try to edit out as much of the file as we can prior to sharing it.

Exactly! Correct.
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login