CVE-2024-37054
Deserialization of untrusted data vulnerability in mlflow (PyPI)
What is CVE-2024-37054 About?
The MLflow platform, versions 0.9.0 and newer, is vulnerable to Deserialization of untrusted data. This flaw allows a maliciously uploaded PyFunc model to execute arbitrary code on an end user's system upon interaction. Exploitation is straightforward for an attacker who can upload a crafted model.
Affected Software
Technical Details
The Deserialization of untrusted data vulnerability in MLflow versions 0.9.0 and newer occurs because the platform deserializes PyFunc models without sufficient validation or sandboxing. An attacker can craft a malicious PyFunc model, containing arbitrary Python code within its serialization format (e.g., pickled objects). When this maliciously uploaded model is subsequently loaded and deserialized by an end user's system (e.g., for inference or examination), the embedded code is executed in the context of the user's machine. This grants the attacker arbitrary code execution capabilities, leveraging the trust placed in the MLflow platform for model distribution and usage.
What is the Impact of CVE-2024-37054?
Successful exploitation may allow attackers to execute arbitrary code on an end user's system, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2024-37054?
Exploitation of this deserialization vulnerability is relatively simple for an attacker who possesses the ability to upload or replace PyFunc models within the MLflow platform. The complexity is low to moderate, requiring the adversary to understand how to craft a malicious serialized Python object (e.g., using pickle with custom classes) that triggers arbitrary code execution upon deserialization. Authentication to the MLflow platform is required to upload the malicious model, but the arbitrary code execution occurs on the end user's system when they interact with it, often without their explicit authentication for that specific action. There are no specific privilege requirements beyond the ability to manage models. This is typically a remote attack if the MLflow instance is publicly accessible, allowing users to download and run models, but the impact is local to the machine that deserializes the malicious model. The risk is significantly increased if user-provided models are accepted or if legitimate models can be tampered with by an attacker.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| NiteeshPujari | Link | NiteeshPujari/CVE-2024-37054, This repository contains a Proof of Concept (PoC) a critical deserialization vulnerability in MLflow that allows for Remote Code Execution (RCE). |
What are the Available Fixes for CVE-2024-37054?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2024-37054?
Similar Vulnerabilities: CVE-2023-38646 , CVE-2023-27909 , CVE-2022-48590 , CVE-2022-38680 , CVE-2022-35114
