{"id":1666,"date":"2025-01-27T12:18:13","date_gmt":"2025-01-27T12:18:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1666"},"modified":"2025-01-27T12:18:13","modified_gmt":"2025-01-27T12:18:13","slug":"a-pickle-in-metas-llm-code-could-allow-rce-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1666","title":{"rendered":"A pickle in Meta\u2019s LLM code could allow RCE attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Meta\u2019s large language model (LLM) framework, Llama, suffers a typical open-source coding oversight, potentially allowing arbitrary code execution on servers leading to resource theft, data breaches<\/a>, and AI model takeover.<\/p>\n

The flaw, tracked as CVE-2024-50050, is a critical deserialization bug belonging to a class of vulnerabilities arising from the improper use of the open-source library (pyzmq) in AI frameworks.<\/p>\n

\u201cThe Oligo research team has discovered a critical vulnerability in meta-llama<\/a>, an open-source framework from Meta for building and deploying Gen AI applications,\u201d said Oligo\u2019s security researchers in a blog post<\/a>. \u201cThe vulnerability, CVE-2024-50050<\/a> enables attackers to execute arbitrary code on the llama-stack inference server from the network.\u201d<\/p>\n

Following Oligo\u2019s report on the flaw, Meta\u2019s security team promptly patched Llama Stack, by switching the serialization format for socket communication from pickle to JSON.<\/p>\n

<\/a>A typical AI-framework flaw<\/h2>\n

According to Oligo\u2019s research, a number of open-source AI frameworks leverage an open-source messaging library (pyzmq) in an \u201cunsafe way\u201d, allowing remote code execution.<\/p>\n

The problem stems from Llama Stack using pickle, a Python module for serialization and deserialization of Python objects, within its \u201cinference API\u201d implementation, a functionality Llama has for organizations to bring their own ML models into the application pipeline.<\/p>\n

Pickle, which automatically deserializes Python objects, is inherently capable of executing arbitrary codes while deserializing untrusted data (crafted) sent by attackers, particularly with exposed pyzmq (a Python binding for ZeroMQ<\/a>) implementation.<\/p>\n

\u201cIn scenarios where the ZeroMQ socket is exposed over the network, attackers could exploit this vulnerability by sending crafted malicious objects to the socket,\u201d the researchers said, adding that unpickling these objects could allow attackers to \u201cachieve arbitrary code execution (RCE) on the host machine.\u201d<\/p>\n

<\/a>Meta likely understated the criticality<\/h2>\n

Oligo reported the vulnerability to Meta on 29 September 2024, which then acknowledged it and released a fix on GitHub<\/a> on 10th Oct 2024, with a patched version 0.0.41 pushed to PyPi.<\/p>\n

Meta, on 24th October 2024, then issued CVE-2024-50050 with a CVSS score of 6.3 (medium severity). Oligo, however, pointed out that the nature of the vulnerability warrants a much higher score.<\/p>\n

Snyk, a software supply chain security firm, assigned the vulnerability a critical CVSS score<\/a> of 9.3 under version 4.0 and 9.8 under version 3.1.<\/p>\n

Meta did not respond to queries about clarity on the flaw\u2019s severity rating till the publishing of this article. The vulnerability is presently pending analysis<\/a> by the National Vulnerability Database (NVD), a comprehensive repository of publicly disclosed vulnerabilities, managed by the US National Institute of Standards and Technology (NIST).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Meta\u2019s large language model (LLM) framework, Llama, suffers a typical open-source coding oversight, potentially allowing arbitrary code execution on servers leading to resource theft, data breaches, and AI model takeover. The flaw, tracked as CVE-2024-50050, is a critical deserialization bug belonging to a class of vulnerabilities arising from the improper use of the open-source library […]<\/p>\n","protected":false},"author":0,"featured_media":1662,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1666","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1666"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1666"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1666\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1662"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}