Blackmagic Software has recently addressed two security vulnerabilities in the highly popular DaVinci Resolve software that would allow attackers to gain code execution on unpatched systems.
DaVinci Resolve is a free software platform that combines video editing and color correction, visual effects, motion graphics, and audio post-production tools in a single solution.
As its developer Blackmagic claims, DaVinci Resolve is “Hollywood’s most popular solution for editing” for Mac, Windows, and Linux.
Critical remote code execution flaws
The two remote code execution (RCE) security flaws, tracked as CVE-2021-40417 and CVE-2021-40418, were discovered by Cisco Talos security researchers and are rated with a CVSSv3 severity score of 9.8/10.
They’re both caused by weaknesses found in DaVinci Resolve’s DPDecoder service and are triggered by a heap-based buffer overflow when decoding a video file or an incorrect UUID when parsing video files.
“[CVE-2021-40417] is a heap-based buffer overflow vulnerability that occurs when the application faces an integer overflow condition that leads to a sign extension while trying to decode a video file,” Cisco Talos explained.
“Alternatively, [CVE-2021-40418] could also lead to code execution, but is instead triggered as the result of an uninitialized object member as a result of an incorrect UUID.”
The bugs can be exploited by remote threat actors in low complexity attacks, with successful exploitation not requiring authentication or user interaction.
Patches available
Cisco Talos discovered the two code execution vulnerabilities while analyzing DaVinci Resolve, version 17.3.1.0005.
Blackmagic has since patched both bugs, and users are advised to update to DaVinci Resolve 17.4.3, the latest released version for their platform, as soon as possible.
“Cisco Talos worked with Blackmagic to ensure that these issues are resolved and an update is available for affected customers,” the Cisco Talos team said.
You can find detailed info on how to install DaVinci Resolve software on your device in the DaVinci Resolve 17.4.3 changelog, released earlier this week.
Source: www.bleepingcomputer.com