Cisco Talos researchers identified multiple unpatched vulnerabilities in the Blender Open Source 3D creation suite that could allow an attacker to run arbitrary code.
Most of the vulnerabilities included multiple overflow code execution flaws and are the result of improperly parsing and handling files in Blender, leading to multiple potential integer overflow or buffer overflow conditions.
If an attacker were to exploit these vulnerabilities they could potentially gain a foothold into an entire organization's network to execute arbitrary code on an affected host running Blender by tricking a user into a open weaponized file, according to a Jan. 11 security advisory.
Talos researchers said Blender has decline to patch the vulnerabilities citing that Blender as saying that “fixing these issues one by one is also a waste of time.” Blender went on to say that “opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from.”
There are currently no software updates available to address the vulnerability. A Blender spokesperson told SC Media that the Cisco engineer offered to help the firm solve the issue.
"In my opinion it's a valid report we should tackle, but not severe enough to drop all our work and spend our limited resources on it," the spokesperson said."Note also that the vulnerabilities are of kind that require malicious attacks targeted at people - by offering files and hoping someone will download it. It doesn't affect regular use of the software, nor loading files from reliable sources."
This story has been updated to include comments from Blender.