Medium

neural-compressor

Sensitive Information Disclosure Due to Weak Permissions in a Short Time Window

A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU (Time-of-Check Time-of-Use) race condition. The issue, present in the master version, was patched in version 2.5.0. It arises from writing sensitive information to a file before adjusting its permissions, creating a window where the data could be accessed unauthorizedly.

Available publicly on May 15 2024

4.7

CVSS:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

lujiefsi
Threat Overview

The vulnerability stems from the process of writing sensitive information to a file and subsequently changing the file's permissions using chmod. This sequence creates a time window susceptible to a TOCTOU race condition attack. During this window, an attacker could exploit the gap between the file creation and permission modification to gain unauthorized access to the sensitive information. This type of vulnerability is particularly concerning because it relies on the inherent race condition between two operations that are assumed to be atomic but are not.

Attack Scenario

An attacker monitors the file system for the creation of new files. Upon detection of a new file created by the vulnerable code in the Intel Neural Compressor, the attacker quickly attempts to access the file before its permissions are secured. If successful, the attacker gains access to sensitive information that was intended to be protected, potentially leading to further exploitation of the system or data breach.

Who is affected

Any users or systems utilizing the Intel Neural Compressor master version prior to the patch in version 2.5.0 are at risk. This includes individuals and organizations that rely on this tool for neural network model optimization and are potentially exposing sensitive configuration data due to this vulnerability.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.