CVE-2024-27134
Excessive directory permissions vulnerability in mlflow (PyPI)
What is CVE-2024-27134 About?
Excessive directory permissions in MLflow can lead to a local privilege escalation via a Time-of-Check to Time-of-Use (ToCToU) attack, specifically when `spark_udf()` is called. This allows a local attacker to gain elevated permissions on the system. Exploitation requires local access and precise timing, making it challenging.
Affected Software
Technical Details
The local privilege escalation vulnerability in MLflow stems from excessive directory permissions associated with the spark_udf() function. When spark_udf() is invoked, it likely creates temporary files or directories with overly permissive write permissions, or operates on resources that are exposed. A local attacker can leverage a Time-of-Check to Time-of-Use (ToCToU) race condition. Between the time the MLflow process checks the permissions or state of a file/directory and the time it actually uses it, the attacker can manipulate the target file or directory. This could involve replacing a legitimate file with a malicious one, creating a symlink to a sensitive system file, or modifying contents, ultimately leading to the MLflow process performing an action with elevated privileges on an attacker-controlled target, resulting in privilege escalation.
What is the Impact of CVE-2024-27134?
Successful exploitation may allow local attackers to gain elevated permissions within the system, potentially leading to full system compromise, data manipulation, or unauthorized access to sensitive resources.
What is the Exploitability of CVE-2024-27134?
Exploiting this local privilege escalation vulnerability requires local access to the system where MLflow is running. The complexity is high due to the nature of ToCToU attacks, which demand precise timing and a deep understanding of file system operations and process execution flow. No authentication is required at the MLflow application level, but local user authentication to the operating system is a prerequisite. The attacker needs to be a local user with basic privileges. This is strictly a local attack. Special conditions include the specific invocation of spark_udf() within MLflow and the ability to win a race condition against system operations. Risk factors that increase exploitability include systems where MLflow is frequently used with spark_udf() in multi-user environments or unmanaged local systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-27134?
Available Upgrade Options
- mlflow
- <2.16.0 → Upgrade to 2.16.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mlflow/mlflow/pull/10874
- https://github.com/mlflow/mlflow/pull/10874
- https://nvd.nist.gov/vuln/detail/CVE-2024-27134
- https://osv.dev/vulnerability/GHSA-qpgc-w4mg-6v92
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/pull/10874
- https://github.com/mlflow/mlflow/commit/0b1d995d66a678153e01ed3040f3f4dfc16a0d6b
What are Similar Vulnerabilities to CVE-2024-27134?
Similar Vulnerabilities: CVE-2023-45814 , CVE-2023-40156 , CVE-2023-37254 , CVE-2023-32600 , CVE-2023-22877
