Remote Code Execution via Insecure Deserialization in BentoML
BentoML version 1.2.2 is vulnerable to remote code execution (RCE) through insecure deserialization, allowing attackers to execute arbitrary code by sending a malicious POST request. This vulnerability was patched in version 1.2.5.
Available publicly on Apr 16 2024 | Available with Premium on Mar 25 2024
Threat Overview
The vulnerability in BentoML arises from the framework's handling of deserialization without proper validation or sanitization of the input. Specifically, the framework accepts serialized objects in POST requests and deserializes them without checking for malicious content. This allows an attacker to craft a payload that, when deserialized, executes arbitrary code on the server. The impact is significant as it allows for immediate compromise of the server, enabling attackers to execute any command, gain remote shell access, and potentially inject backdoors for persistent access.
Attack Scenario
An attacker crafts a malicious object that, when deserialized, executes a system command of the attacker's choosing. This object is sent as a payload in a POST request to a BentoML endpoint. The server, running a vulnerable version of BentoML, deserializes the object without validation, leading to the execution of the attacker's command. This scenario demonstrates how an attacker can gain remote code execution on the server hosting the BentoML application.
Who is affected
Any server running BentoML version 1.2.2 and exposing it to network access is vulnerable to this attack. This includes applications using BentoML for machine learning model serving over a network. The vulnerability allows attackers to execute arbitrary code remotely, affecting the confidentiality, integrity, and availability of the server and its data.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.