Critical

pytorch

Remote Code Execution in Distributed RPC Framework

A vulnerability in PyTorch's torch.distributed.rpc framework allows remote code execution by exploiting the lack of function verification during RPC calls. This issue affects versions up to and including 2.2.2. Attackers can execute arbitrary commands on master nodes in distributed training scenarios by calling built-in Python functions like eval. The vulnerability was identified in the framework's handling of RPC calls, where arbitrary functions could be executed without proper validation.

Available publicly on May 31 2024

10

CVE:

CVE-2024-5480

CWE:

77:Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Credit:

xbalien
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure that your PyTorch installation is updated to a version that patches this vulnerability.
  • Implement function whitelisting to only allow known, safe functions to be called via RPC.
  • Use network segmentation and firewall rules to restrict access to the RPC ports, limiting the ability of unauthorized nodes to initiate RPC calls.
  • Regularly audit and monitor network activity for unusual or unauthorized RPC calls, especially those invoking sensitive or potentially dangerous functions.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.