BIT-mlflow-2024-37059
Deserialization of Untrusted Data vulnerability in mlflow (PyPI)
What is BIT-mlflow-2024-37059 About?
This vulnerability affects MLflow versions 0.5.0 and newer, allowing deserialization of untrusted data in PyTorch models. An attacker can upload a malicious PyTorch model to run arbitrary code on a user's system when the model is interacted with. This is a high-impact and relatively easy-to-exploit vulnerability if an attacker can upload malicious models.
Affected Software
Technical Details
The vulnerability arises because MLflow's handling of PyTorch models, specifically when loading them, does not sufficiently sanitize or validate the serialized model data. When a PyTorch model is saved, it often contains Python objects that, upon deserialization (e.g., using pickle), can lead to arbitrary code execution if the objects were crafted maliciously. An attacker, with the ability to upload a PyTorch model to the MLflow platform, can embed malicious code within the model's serialized representation. When an end-user or an automated system interacts with this maliciously uploaded model (e.g., by loading it for inference or further training), the embedded code is executed in the context of the system processing the model. This Deserialization of Untrusted Data can lead to complete compromise of the system.
What is the Impact of BIT-mlflow-2024-37059?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, compromise the integrity of machine learning models, exfiltrate sensitive data, or establish a persistent presence, leading to full system compromise.
What is the Exploitability of BIT-mlflow-2024-37059?
Exploitation requires an attacker to have the ability to upload a malicious PyTorch model to the MLflow platform. This could involve authenticated access to MLflow's artifact storage or a vulnerability allowing unauthenticated uploads. Once uploaded, the malicious code is executed when an end-user or service loads and interacts with the model. This is generally a remote attack if the MLflow platform is accessible remotely. No client-side interaction other than the benign act of loading the model is required. The complexity is medium, as it requires crafting a malicious PyTorch model. Risk factors are increased if MLflow instances allow untrusted users to upload models or if there are no integrity checks on models before deployment into environments where they will be loaded by users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-mlflow-2024-37059?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to BIT-mlflow-2024-37059?
Similar Vulnerabilities: CVE-2023-4586 , CVE-2023-29462 , CVE-2022-21724 , CVE-2020-13757 , CVE-2019-15873
