Cisco found multiple flaws in Blender

Last week, the Cisco Talos team uncovered several unpatched vulnerabilities in the 3D animation software Blender that could allow an attacker to execute arbitrary code on the affected computer.

Blender is a free and open source cross-platform all-around 3D animation software that provides a series of animated short film production solutions from modeling, animation, material, rendering, audio processing and video editing.

Talos team said that the majority of vulnerabilities are integer overflow remote code execution vulnerabilities. This is a bad result of incorrectly parsing and processing files in Blender, which causes multiple potential integer overflows or buffer overflows.

The specific conditions required to exploit these vulnerabilities vary, but often victims are required to open specially crafted malicious files using Blender installed on the local system. Attackers can upload these malicious files to sites such as GitHub, Google Drive and Dropbox for sharing with prospective victims.

Another more typical form of attack may be used, that is phishing attacks. Attackers can use both social engineering and spear email to spread malicious files to target victims remotely.

Talos team has informed Blender of this discovery, but Blender has made it clear that they refuse to patch these vulnerabilities.

A Blender spokesman said: “Solving these problems one by one is a waste of time. Opening a file using Blender should be considered the same as opening a file using the Python interpreter. You first need to make sure that the file is large enough to be trusted.”

The spokesman added: “In my opinion, this is indeed a valid report that we should handle, but its severity is not enough to allow us to relinquish all our work and expand our limited resources. It should be noted that the use of these Vulnerability initiates a malicious attack, provided that the user downloads the malicious file, which does not affect the normal use of the software nor affect any user who downloads the file from a trusted source.”

Reference: talosintelligence