Blackmagic Software recently patched two security flaws in the widely used DaVinci Resolve software that might allow attackers to achieve code execution on systems that were not patched. DaVinci Resolve is an open software platform that includes video editing, visual effects, color correction, motion graphics, and audio post-production capabilities in one package.
According to its developer Blackmagic, DaVinci Resolve is “Hollywood’s most popular solution for editing” for Mac, Windows, and Linux. Cisco Talos security researchers found the two remote code execution (RCE) security issues: CVE-2021-40417 and CVE-2021-40418. They have a CVSSv3 severity score of 9.8/10. Both are caused by flaws in DaVinci Resolve’s DPDecoder service and are triggered by a heap-based buffer overflow during decoding a video file or a wrong UUID while parsing video files.
“[CVE-2021-40417] is a heap-based buffer overflow vulnerability that occurs when the application faces an integer overflow condition that leads to a sign extension while trying to decode a video file,” Cisco Talos clarified. “Alternatively, [CVE-2021-40418] could also lead to code execution, but is instead triggered as the result of an uninitialized object member as a result of an incorrect UUID.”
Remote threat actors can employ the defects in low-complexity attacks, and successful exploitation does not need authentication or user interaction. While evaluating DaVinci Resolve, version 17.3.1.0005, Cisco Talos detected two code execution flaws. Both flaws have subsequently been fixed by Blackmagic, and users are urged to update to DaVinci Resolve 17.4.3, the most recent release for their platform, as soon as feasible.
According to the Cisco Talos team, it worked with Blackmagic to rectify the vulnerabilities and provide an update to affected consumers. The DaVinci Resolve 17.4.3 changelog, which was released earlier this week, has thorough instructions to install DaVinci Resolve software on a device.