A high-severity safety flaw has been disclosed in Meta’s Llama massive language mannequin (LLM) framework that, if efficiently exploited, might enable an attacker to execute arbitrary code on the llama-stack inference server.
The vulnerability, tracked as CVE-2024-50050, has been assigned a CVSS rating of 6.3 out of 10.0. Provide chain safety agency Snyk, alternatively, has assigned it a important severity score of 9.3.
“Affected variations of meta-llama are weak to deserialization of untrusted knowledge, which means that an attacker can execute arbitrary code by sending malicious knowledge that’s deserialized,” Oligo Safety researcher Avi Lumelsky mentioned in an evaluation earlier this week.
The shortcoming, per the cloud safety firm, resides in a element referred to as Llama Stack, which defines a set of API interfaces for synthetic intelligence (AI) software improvement, together with utilizing Meta’s personal Llama fashions.
Particularly, it has to do with a distant code execution flaw within the reference Python Inference API implementation, was discovered to mechanically deserialize Python objects utilizing pickle, a format that has been deemed dangerous because of the opportunity of arbitrary code execution when untrusted or malicious knowledge is loading utilizing the library.
“In situations the place the ZeroMQ socket is uncovered over the community, attackers might exploit this vulnerability by sending crafted malicious objects to the socket,” Lumelsky mentioned. “Since recv_pyobj will unpickle these objects, an attacker might obtain arbitrary code execution (RCE) on the host machine.”
Following accountable disclosure on September 24, 2024, the problem was addressed by Meta on October 10 in model 0.0.41. It has additionally been remediated in pyzmq, a Python library that gives entry to the ZeroMQ messaging library.
In an advisory issued by Meta, the corporate mentioned it fastened the distant code execution threat related to utilizing pickle as a serialization format for socket communication by switching to the JSON format.
This isn’t the primary time such deserialization vulnerabilities have been found in AI frameworks. In August 2024, Oligo detailed a “shadow vulnerability” in TensorFlow’s Keras framework, a bypass for CVE-2024-3660 (CVSS rating: 9.8) that would end in arbitrary code execution because of the usage of the unsafe marshal module.
The event comes as safety researcher Benjamin Flesch disclosed a high-severity flaw in OpenAI’s ChatGPT crawler, which could possibly be weaponized to provoke a distributed denial-of-service (DDoS) assault towards arbitrary web sites.
The problem is the results of incorrect dealing with of HTTP POST requests to the “chatgpt[.]com/backend-api/attributions” API, which is designed to just accept a listing of URLs as enter, however neither checks if the identical URL seems a number of occasions within the record nor enforces a restrict on the variety of hyperlinks that may be handed as enter.
This opens up a situation the place a nasty actor might transmit 1000’s of hyperlinks inside a single HTTP request, inflicting OpenAI to ship all these requests to the sufferer web site with out trying to restrict the variety of connections or forestall issuing duplicate requests.
Relying on the variety of hyperlinks transmitted to OpenAI, it supplies a major amplification issue for potential DDoS assaults, successfully overwhelming the goal web site’s assets. The AI firm has since patched the issue.
“The ChatGPT crawler may be triggered to DDoS a sufferer web site through HTTP request to an unrelated ChatGPT API,” Flesch mentioned. “This defect in OpenAI software program will spawn a DDoS assault on an unsuspecting sufferer web site, using a number of Microsoft Azure IP handle ranges on which ChatGPT crawler is working.”
The disclosure additionally follows a report from Truffle Safety that well-liked AI-powered coding assistants “advocate” hard-coding API keys and passwords, a dangerous piece of recommendation that would mislead inexperienced programmers into introducing safety weaknesses of their initiatives.
“LLMs are serving to perpetuate it, doubtless as a result of they have been skilled on all of the insecure coding practices,” safety researcher Joe Leon mentioned.
Information of vulnerabilities in LLM frameworks additionally follows analysis into how the fashions could possibly be abused to empower the cyber assault lifecycle, together with putting in the ultimate stage stealer payload and command-and-control.
“The cyber threats posed by LLMs will not be a revolution, however an evolution,” Deep Intuition researcher Mark Vaitzman mentioned. “There’s nothing new there, LLMs are simply making cyber threats higher, sooner, and extra correct on a bigger scale. LLMs may be efficiently built-in into each section of the assault lifecycle with the steerage of an skilled driver. These skills are more likely to develop in autonomy because the underlying expertise advances.”
Current analysis has additionally demonstrated a brand new technique referred to as ShadowGenes that can be utilized for figuring out mannequin family tree, together with its structure, sort, and household by leveraging its computational graph. The method builds on a beforehand disclosed assault approach dubbed ShadowLogic.
“The signatures used to detect malicious assaults inside a computational graph could possibly be tailored to trace and establish recurring patterns, referred to as recurring subgraphs, permitting them to find out a mannequin’s architectural family tree,” AI safety agency HiddenLayer mentioned in a press release shared with The Hacker Information.
“Understanding the mannequin households in use inside your group will increase your general consciousness of your AI infrastructure, permitting for higher safety posture administration.”
