Results 1 to 14 of 14
  1. #1
    Member fdfxd's Avatar
    Join Date
    Jan 2015
    Location
    Egypt, Alexandria
    Posts
    1,569

    Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified

    http://blog.talosintelligence.com/20...der-vulns.html

    image1.png

    ....okay, fair statement when you think about it, but you gotta admit it's bad optics, really bad optics.

    Ton's statement
    The quoted developer is giving his own opinion here. If you look at all discussions, we took their reports very seriously and spent a lot of time on it already. I don't think it's fair to publish it with such a negative accusation. I've asked Cisco to correct the text.
    Meanwhile: the issue has been recognised and we hope we can tackle it with Cisco's help.
    Brecht followed up with this statement later on...

    Right, I am not speaking for the Blender Foundation. Nor am I saying vulnerabilities should not be taken seriously, but rather that if anyone is serious about making loading arbitrary .blend files in Blender secure, fixing these issues reported by TALOS will not get us much closer to that. Users should understand that loading untrusted scene files in Blender and similar CG software is not secure, and not get the false impression that software developers addressing the occasional reported issue means it is secure.


    For background on security and arbitrary code execution in CG software in general, see this article.

    eh fair enough.


    I don't think the security flaws are a big deal either,

    You should treat files you downloaded from a random site, like candy from a stranger.

    You probably shouldn't be doing it in the first place, but when you do, scan it.
    GPU: Sapphire R7 240 1GB Overclocked,CPU: Intel Pentium G2030 3.0 GHz 3MB Cache Dual Threaded,Ram: 8 GB Kingston Hyper X Fury DDR3



  2. #2
    Member Ace Dragon's Avatar
    Join Date
    Feb 2006
    Location
    Wichita Kansas (USA)
    Posts
    28,541
    If similar security issues are present in the internal file formats of other DCC apps. (Maya, Modo, ect...), then I'm not sure if they should be treated as a big deal if the commercial vendors are also not doing anything.

    Though since Blender is free and open source, it would attract a large audience that otherwise can't afford to work in 3D (meaning that a large chunk of Blender users aren't as computer-savvy as the average Maya user). Having basic security measures in the .blend file format may not be a bad thing.
    Sweet Dragon dreams, lovely Dragon kisses, gorgeous Dragon hugs. How sweet would life be to romp with Dragons, teasing you with their fire and you being in their games, perhaps they can even turn you into one as well.
    Adventures in Cycles; My official sketchbook



  3. #3
    Member geoadel's Avatar
    Join Date
    May 2005
    Location
    Germany
    Posts
    37
    What might that mean for public render farms though? There I cannot control, what kind of blend runs on my computer... :/



  4. #4
    Member fdfxd's Avatar
    Join Date
    Jan 2015
    Location
    Egypt, Alexandria
    Posts
    1,569
    Originally Posted by geoadel View Post
    What might that mean for public render farms though? There I cannot control, what kind of blend runs on my computer... :/

    Good point....
    GPU: Sapphire R7 240 1GB Overclocked,CPU: Intel Pentium G2030 3.0 GHz 3MB Cache Dual Threaded,Ram: 8 GB Kingston Hyper X Fury DDR3



  5. #5
    Member
    Join Date
    Sep 2012
    Posts
    2,920
    So why is .jpg still in 'widespread' use? I'm more & more certain other interests are behind all this...
    Last edited by burnin; 14-Jan-18 at 08:19.



  6. #6
    Member
    Join Date
    Oct 2017
    Location
    Australia
    Posts
    27
    So if I've been reading this right, they aren't talking about any old .blend file with some included script that could do bad things, they are talking about some sort of 'crafted' .blend file.

    I assume by that they mean it's not even something you could create just by using Blender, a hacker would have to manually create/code a .blend file that the software would load and not just reject or crash outright and aside from what may or may not show up in the viewport, some extra type code would also run, and access data/files, etc outside of the Blender software. To then I assume download/install an extra root kit and the like.

    And at this stage only the possibility that Blender allows this to happen has been identified, there's no actual proof of concept yet, let alone any actual attack experienced in the wild?

    Is all of that basically correct?

    If so I say they work on patches as part of the 2.8 development, unless an actual confirmed attack happens, then all other work stops till an emergency patch of 2.79 is released.



  7. #7
    Member theoldghost's Avatar
    Join Date
    Jun 2008
    Location
    U.S.A. The Southeast section of Virginia
    Posts
    1,718
    While it pains me to agree with Ace he does have a point. Autodesk does indeed have the same security flaws as do the biggest proprietary programs. And, to patch each and every flaw would be a nightmare is my understanding.

    Now as a Blender user i don't download Blend files except from maybe a trusted friend in the community. But, do however download an occasional add - on. And, if they have the same capability as a blend file maybe some check could be devised for them. That being said I understand much of the feedback in the community is based on actually seeing a blend file. Which has been encouraged in our community for many years and why not. 'Show me your blend file' Which is the most efficient way to help out a fellow blender head in distress.

    And, while we have also been warned for many years a blend file can be a disaster it was a means to a end. Problem solving by screen shots and dialog is way less efficient. So where does this leave us after someone has announced to the world how flawed this might be. Sharing it with the world if you will.

    I have not a clue since the developers would be the minds to ponder that. And, the last time I checked the developers are way to busy for hanging out on the BA forum. Nor, engaging in trying to bullet proof a 3d program which is exactly the way i would have it. Just a thought I was mulling over this morning.

    ///



  8. #8
    Member m9105826's Avatar
    Join Date
    Dec 2007
    Location
    Fairfax, VA
    Posts
    4,249
    Any program with scripting access is going to have these vulnerabilities. Treat a .blend with the same respect you'd treat a .py, .lua, or .exe and you'll be fine.
    Long time 3D artist and member of the official Cycles Artists Module
    https://www.youtube.com/user/m9105826 - Training, other stuff. Like and subscribe for more!
    Follow me on Twitter: @mattheimlich or on my blog



  9. #9
    Member BluePrintRandom's Avatar
    Join Date
    Jul 2008
    Location
    NoCal Usa
    Posts
    18,513
    blender verse / network sockets could run clients whom had no script level access,
    (to share work without really sharing the .blend)

    I think blender verse / scripting permission system / editing privlage sandbox could be nice for a teaching env.

    admin has all privlage, and can grant privlages temp or permanent on a server.
    Break it and remake it - Wrectified
    If you cut off a head, the hydra grows back two.
    "headless upbge"



  10. #10
    Member karab44's Avatar
    Join Date
    Oct 2014
    Location
    Poland
    Posts
    179
    If it comes to render farms - most of them don't allow to contain the scripts within your .blend file or they trim it out.

    Files don't have to be specially coded - if you only enable run autoscripts python included in .blend can harm your OS straight away during the on-scene-loading trigger. That's all folks. That's why run autoscripts is disabled by default - the whole story ends here.

    My advice is to keep the autorun option disabled, trigger it manually on each file if you're confident about it and never run blender as administrator especially if you work with unknown blend files because this may give malicious script unlimited power, I guess.

    Best Regards!
    Albert
    Last edited by karab44; 15-Jan-18 at 18:29.



  11. #11
    Member
    Join Date
    Aug 2010
    Location
    Adelaide, South Australia
    Posts
    2,748
    These vulnerabilities are not to do with scripting... but other methods of injecting code. That run autoscripts option would not protect against these vulnerabilities (which includes image loading & loading old multires objects)



  12. #12
    Member minoribus's Avatar
    Join Date
    Feb 2013
    Location
    Germany
    Posts
    3,307
    I agree. In my eyes it is not appropriate to narrow the discussion down to .blend files with python scripts.

    If I understood the post from Cisco correctly, many of the issues (nearly half of them) are about opening images like .tiff, .bmp, .png, .hdr or dealing with .avi and even the thumbnail viewer for directory browsing is vulnerable. Therefore I think it is not so much about script access. The point is, that it doesn't need a .blend file with a script to make use of the vulnerabilities. A prepared image file could be enough. And, a prepared image file, which leads to a buffer overrun when loaded, is a well known attack vector. Much easier to exploit than, for example, spectre and meltdown.

    And yes, attackers do make use of these vulnerabilities. It's their "job" to do so and it's a multi million dollar business.

    I work in the Internet industry. And whenever we have to decide which software should be used for a client project we do look at how committed the respective "vendor" is to closing vulnerabilities, no matter if it's open source or commercial software. That's always a major point in the discussion. Every CTO in a studio will take that into account also, when a new software shall be integrated into the pipeline. Management of risks is about both questions: How likely is it, that the event of an attack will happen, and how big is the impact if it happens. Imagine a malicious attacker would introduce a crypto trojan through that. Tight budgets and deadlines don't need that - even if there are backups.

    So, I think these issues should be addressed and fixed by the BF. Perhaps with 2.8 and maybe ported back to 2.79 then.

    Edit:
    The actual plan of the developers is to fix many of these issues for 2.79a, as I read on Blender Nation after my post. That's good news
    Last edited by minoribus; 16-Jan-18 at 14:07.



  13. #13
    Security salesman: Hello, we have investigated the security of your house, as a free service to you.
    House owner: Hello, that's interesting, I'd like to know more.
    Security salesman: We have determined that there are 21 weak spots in this wall. When any of them is hit with sledgehammer, an intruder can walk right in. We strongly suggest you fortify this wall.
    House owner: There's so many other ways someone could break in with less effort, seems like a waste of time to fortify that one wall.
    Security salesman: But you are putting your family in danger if you don't do it.
    House owner: We live in a pretty safe neighborhood, our neighbors don't even have locks on their doors. Fortifying our entire house would be very expensive and take years, and I'm not sure my family would want me to cancel our vacations to pay for it.
    Security salesman: You were warned, we have informed the world that you decline to protect your family from this danger.
    House owner: Fine, I'll fix the damn wall ...



  14. #14
    By the way, I do think image file vulnerabilities should have higher priority. However in practice it's not clear these vulnerabilities can actually be exploited, and the files would need to be crafted specifically to target Blender. It's not that much easier to trick a Blender user to download an malicious image file than a .blend file.

    And of course, at this moment there are published OpenEXR image vulnerabilities that affect almost all installed 3D software, but the industry as a whole does not appear to be particularly worried about that kind of thing.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •