Cybersecurity researchers have disclosed a important safety flaw within the Lightning AI Studio growth platform that, if efficiently exploited, may have allowed for distant code execution.
The vulnerability, rated a CVSS rating of 9.4, allows “attackers to doubtlessly execute arbitrary instructions with root privileges” by exploiting a hidden URL parameter, software safety agency Noma mentioned in a report shared with The Hacker Information.
“This stage of entry may hypothetically be leveraged for a spread of malicious actions, together with the extraction of delicate keys from focused accounts,” researchers Sasi Levi, Alon Tron, and Gal Moyal mentioned.
The problem is embedded in a chunk of JavaScript code that might facilitate unfettered entry to a sufferer’s growth setting, in addition to run arbitrary instructions on an authenticated goal in a privileged context.
Noma mentioned it discovered a hidden parameter known as “command” in user-specific URLs – e.g., “lightning.ai/PROFILE_USERNAME/vision-model/studios/STUDIO_PATH/terminal?fullScreen=true&commmand=cmVzc…” – which could possibly be used to cross a Base64-encoded instruction to be executed on the underlying host.
Even worse, the loophole could possibly be weaponized to run instructions that may exfiltrate important data akin to entry tokens and person data to an attacker-controlled server.
Profitable exploitation of the vulnerability signifies that it may allow an adversary to execute arbitrary privileged instructions and acquire root entry, harvest delicate information, and manipulate the file system to create, delete, or modify recordsdata on the server.
All an attacker wants to tug this off is prior information of a profile username and their related Lightning AI Studio, particulars which can be publicly obtainable by way of the Studio templates gallery.
Armed with this data, the risk actor can then craft a malicious hyperlink such that it triggers code execution on the recognized Studio beneath root permissions. Following accountable disclosure on October 14, 2024, the issue has been resolved by the Lightning AI workforce as of October 25.
“Vulnerabilities like these underscore the significance of mapping and securing the instruments and programs used for constructing, coaching, and deploying AI fashions due to their delicate nature,” the researchers mentioned.
Replace
After the publication of the story, Lightning AI instructed The Hacker Information the potential vulnerability was instantly fastened after it was reported and that it discovered no proof of the difficulty being exploited within the wild. The corporate additionally mentioned its safety evaluation confirmed no unauthorized entry occurred earlier than the repair was put in place.
(The story was up to date after publication to incorporate a response from Lightning AI and make it clear that the vulnerability was by no means exploited.)
