CVE-2021-34086 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2021-34086?

CVE-2021-34086 has a CVSS score of 8.8 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Ultimaker 3D printer web APIs. Attackers can trick authenticated users into executing unauthorized actions on the printer's local web server. Affected users include those running vulnerable Ultimaker printer firmware versions.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Ultimaker 3D printer web APIs. Attackers can trick authenticated users into executing unauthorized actions on the printer's local web server. Affected users include those running vulnerable Ultimaker printer firmware versions.

💻 Affected Systems

Products:

Ultimaker S3 3D printer
Ultimaker S5 3D printer
Ultimaker 3 3D printer

Versions: S-line through 6.3 and Ultimaker 3 through 5.2.16

Operating Systems: Embedded printer firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the local web server APIs that lack CSRF protection mechanisms.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of 3D printer functionality including unauthorized print jobs, configuration changes, firmware manipulation, or potential physical damage through malicious print commands.

🟠

Likely Case

Unauthorized print jobs, configuration changes, or disruption of ongoing print operations through CSRF attacks against authenticated users.

🟢

If Mitigated

Limited impact with proper CSRF protections, network segmentation, and user awareness about not clicking suspicious links while authenticated.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks require user interaction but are well-understood and documented in the referenced research paper.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after S-line 6.3 and Ultimaker 3 5.2.16

Vendor Advisory: https://ultimaker.com/3d-printers/

Restart Required: Yes

Instructions:

1. Access printer web interface. 2. Navigate to firmware update section. 3. Download and install latest firmware from Ultimaker. 4. Restart printer after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate 3D printers on separate VLAN or network segment to limit attack surface

Browser Security Extensions

all

Use browser extensions that block CSRF attempts or enforce same-origin policies

🧯 If You Can't Patch

Segment printers on isolated network with strict firewall rules
Implement web application firewall rules to detect CSRF patterns
Educate users about CSRF risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in printer web interface and compare against vulnerable versions (S-line ≤6.3, Ultimaker 3 ≤5.2.16)

Check Version:

Access printer web interface at http://[printer-ip]/ and navigate to system information

Verify Fix Applied:

Confirm firmware version is updated beyond vulnerable versions and test API endpoints for CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple API requests from different origins in short time
Unauthorized configuration changes in printer logs
Print jobs initiated without user interaction

Network Indicators:

CSRF attack patterns in HTTP requests
API calls without proper referrer headers
Cross-origin requests to printer APIs

SIEM Query:

source="printer_logs" AND (action="configuration_change" OR action="print_start") AND user_agent CONTAINS "malicious" OR referrer NOT IN allowed_domains

📊 Metadata

CVE ID: CVE-2021-34086

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

https://kth.diva-portal.org/smash/get/diva2:1623489/FULLTEXT01.pdf Technical Description,Third Party Advisory
https://ultimaker.com/3d-printers/ultimaker-3 Product,Vendor Advisory
https://ultimaker.com/3d-printers/ultimaker-s3 Product,Vendor Advisory
https://ultimaker.com/3d-printers/ultimaker-s5 Product,Vendor Advisory
https://kth.diva-portal.org/smash/get/diva2:1623489/FULLTEXT01.pdf Technical Description,Third Party Advisory
https://ultimaker.com/3d-printers/ultimaker-3 Product,Vendor Advisory
https://ultimaker.com/3d-printers/ultimaker-s3 Product,Vendor Advisory
https://ultimaker.com/3d-printers/ultimaker-s5 Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34086, you might also want to check these: