Remote Code Execution via Controlled File Write
A vulnerability in MLflow versions 2.6.0 to 2.9.1 allows remote code execution through a controlled file write mechanism. The issue arises from the handling of model source URLs, enabling an attacker to create or overwrite arbitrary files on the system. This vulnerability was patched in version 2.9.2.
Available publicly on Nov 16 2023
Threat Overview
The vulnerability stems from the way MLflow processes model source URLs. Specifically, when a model is created with a source URL pointing to another model that, in turn, points to a malicious server, MLflow fetches and writes files as specified by the attacker. This behavior can be exploited to write arbitrary files on the system, leading to remote code execution. The lack of authentication by default and the ability to control the file path and content through a malicious server are key factors that facilitate this exploit.
Attack Scenario
An attacker sets up a malicious server to serve a JSON response that specifies a file path and content. The attacker then creates two models in MLflow: the first model's source points to the malicious server, and the second model's source points to the first model. When MLflow processes the second model, it fetches the file specification from the malicious server and writes the specified file to the system, allowing the attacker to execute arbitrary code.
Who is affected
Any user or organization running MLflow versions 2.6.0 to 2.9.1 with default configurations is vulnerable to this attack. The vulnerability specifically affects environments where MLflow is used for tracking experiments, packaging code, and sharing and deploying models without requiring authentication.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.