Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified


Update 1/25/18: Blender has released version 2.79a to address these issues

Technology has evolved in incredible ways that has helped people to create and visualize media like never before. Today, people can use tools such as Blender to visualize, model, and animate 3D content, especially since it's free and open-source software. However, this also make it an attractive target for adversaries to audit and find vulnerabilities. Given the user base of Blender, exploiting these vulnerabilities to compromise a user could have a significant impact as attackers could use the foothold gained by attacking Blender to further compromise an organization's network.

Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.

Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that "fixing these issues one by one is also a waste of time." As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that "opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from."

Talos has offered advice to help with these issues. We realize that one developer in an open source project does not speak on behalf of the entire project. The discussion on Blender's site continues.

Attack Scenarios


The specific conditions required to exploit each of these vulnerabilities varies, but they generally require a user to open a supported file type in Blender on their local system. An attacker could weaponize these vulnerabilities and utilize social engineering tactics in conjunction with a spear phishing email to remotely exploit and compromise a targeted user. Other possible scenarios where attackers could exploit and compromise users include cases were malicious files are uploaded to sites like GitHub, Google Drive, and Dropbox for sharing with intended victims.

Talos has previously covered email-based attacks where adversaries sent highly targeted phishing emails to specific users running specific software to compromise them. Similar scenarios where an attacker sends targeted phishing emails to individuals within an organization that utilizes Blender is not outside the realm of possibility. This is especially true given how attackers utilize social engineering tactics to convince users to open files attached to emails, even when organizations are aware that attackers utilize this strategy.

Vulnerabilities Details


These vulnerabilities were identified by Cory Duplantis and another member of Talos.

Multiple vulnerabilities have been identified in Blender which could lead to arbitrary code execution. These vulnerabilities manifest as a result of improperly parsing and handling files in Blender, leading to multiple potential integer overflow or buffer overflow conditions. These vulnerabilities are listed below along with a brief description of the issue. For the full details of each of these vulnerabilities, please refer to each of the specific vulnerability advisories.
  • TALOS-2017-0406 - Blender Sequencer imb_loadtiff Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .tiff file loading functionality of Blender.
  • TALOS-2017-0407 - Blender Sequencer imb_loadpng Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .png file loading functionality of Blender.
  • TALOS-2017-0408 - Blender Sequencer imb_loadiris Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .iris file loading functionality of Blender.
  • TALOS-2017-0409 - Blender Sequencer dpxOpen Buffer Overflow Code Execution Vulnerability
    An buffer overflow vulnerability in the .cin DPX loading functionality of Blender.
  • TALOS-2017-0410 - Blender Sequencer imb_load_dpx_cineon Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .cin DPX loading functionality of Blender.
  • TALOS-2017-0411 - Blender Sequencer imb_loadhdr Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .hdr RADIANCE loading functionality of Blender.
  • TALOS-2017-0412 - Blender Sequencer imb_bmp_decode Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the .bmp file loading functionality of Blender.
  • TALOS-2017-0413 - Blender Sequencer imb_get_anim_type Streams Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the animation playing functionality of .avi files in Blender.
  • TALOS-2017-0414 - Blender Sequencer avi_format_convert Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the animation playing functionality of .avi files in Blender.
  • TALOS-2017-0415 - Blender Directory Browsing Thumbnail Viewer Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the directory browser thumbnail viewer functionality of Blender.
  • TALOS-2017-0425 - Blender BKE_image_acquire_ibuf Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the image loading functionality of Blender.
  • TALOS-2017-0433 - Blender vcol_to_fcol Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the upgrade functionality of a legacy Mesh attribute within a .blend file.
  • TALOS-2017-0434 - Blender Object CustomData_external_read Integer Overflow Code Execution Vulnerability.
    An integer overflow vulnerability in the way Blender handles the `CustomData` layer from a `Mesh` object within .blend file.
  • TALOS-2017-0438 - Blender BKE_mesh_calc_normals_tessface Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender fixes the normals within a `Mesh` object when loading an older version of a .blend file.
  • TALOS-2017-0451 - Blender customData_add_layer__internal Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the upgrade functionality for the legacy Mesh attribute `tface`.
  • TALOS-2017-0452 - Blender multires_load_old_dm base vertex map Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender handles opening older file versions contains the `Multires` structure.
  • TALOS-2017-0453 - Blender modifier_mdef_compact_influences Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender handles opening older file versions contains the `bindcos` structure.
  • TALOS-2017-0454 - Blender BKE_curve_bevelList_make Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender converts curves to polygons.
  • TALOS-2017-0455 - Blender BKE_vfont_to_curve_ex Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender converts text rendered as a font into a curve.
  • TALOS-2017-0456 - Blender draw_new_particle_system PART_DRAW_AXIS Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender draws a Particle object.
  • TALOS-2017-0457 - Blender mesh_calc_modifiers eModifierTypeType_OnlyDeform Integer Overflow Code Execution Vulnerability
    An integer overflow vulnerability in the way Blender applies a particular object modifier to a Mesh.
For more information on these vulnerabilities or to view other security advisories, please visit the Vulnerability Information portal on our website.

Conclusion


Vulnerabilities in software are not the exception but the norm, especially as applications increase in size and complexity. Identifying software vulnerabilities in a programmatic fashion is a major challenge, but plays a vital role in securing and protecting our customers as it identifies potential attack vectors that adversaries may already be trying to exploit. Talos will continue to identify software vulnerabilities in order to help protect our customers and, more importantly, the broader internet community.

Coverage


Talos is releasing the following Snort rules that detect attempts to exploit these vulnerabilities in Blender. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules

  • 16716
  • 43399
  • 44167-44168
  • 44186-44187
  • 44223-44230
  • 44237-44266
  • 44269-44270
  • 44287-44288
  • 44318-44319
  • 44376-44377
  • 44397-44398
  • 44441-44442
  • 44444-44449
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified
Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNH0plyNfAXwnZVwZPu6tVkmVpsEG0Ng1HyTPINzvEY6Zgklhr4yfFDTsKmqw5YjaRp2uAJiMQiLpaGpmZocfy_MqzlLUFJ7SILQrouQUeYOsMaCL1qM0gcIBBO3nxQNg5FHA6LPtDJCnA/s640/image1.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNH0plyNfAXwnZVwZPu6tVkmVpsEG0Ng1HyTPINzvEY6Zgklhr4yfFDTsKmqw5YjaRp2uAJiMQiLpaGpmZocfy_MqzlLUFJ7SILQrouQUeYOsMaCL1qM0gcIBBO3nxQNg5FHA6LPtDJCnA/s72-c/image1.png
materialize material
https://materialize-material.blogspot.com/2018/01/vulnerability-spotlight-multiple.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/01/vulnerability-spotlight-multiple.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy