Background

JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with Tensorflow, a popular Machine Learning platform that's widely used in the industry. The issue has been assigned to CVE-2021-41228.

This disclosure is hot on the heels of our previous, similar disclosure in Yamale which you can read about in our previous blog post.

The injection issue

The issue lies in the saved_model_cli tool, which is used to save a model's state.

An attacker that can control the contents of the --input_examples argument, can provide a malicious input that runs arbitrary Python code.

The underlying issue lies in the preprocess_input_examples_arg_string function: 


def preprocess_input_examples_arg_string(input_examples_str):
    input_dict = preprocess_input_exprs_arg_string(input_examples_str)
        ...

which calls preprocess_input_exprs_arg_string, that contains the vulnerable call: 


def preprocess_input_exprs_arg_string(input_exprs_str):
    input_dict = {}

  for input_raw in filter(bool, input_exprs_str.split(';')):
      ...
        input_key, expr = input_raw.split('=', 1)
      # ast.literal_eval does not work with numpy expressions
      input_dict[input_key] = eval(expr)  # pylint: disable=eval-used
  return input_dict

In our case, input_exprs_str is the user's input coming from the command line argument.

We can see that arbitrary input is flowing to eval, which leads to code injection.

Since the --input_examples option takes only a list of dictionaries, it is unexpected by the end-user (and undocumented by the vendor) that arbitrary input can lead to code injection.

TensorFlow's fix

The issue was fixed in TensorFlow 2.7.0, we urge anyone using the saved_model_cli tool to upgrade to this version.

Since the --input_examples option should only accept a list of dictionaries, the eval call was replaced with a call to json.loads, which accepts a list of dictionaries and is safe for use with arbitrary unfiltered input.

Can we exploit it remotely?

As mentioned in our previous blogpost , these issues might be remotely exploitable (in a reasonable scenario) in the context of a parameter injection attack. See our previous blogpost for more details.

Acknowledgements

We would like to thank TensorFlow's maintainers, for validating and fixing the issue in a prompt manner and responsibly creating a CVE for the issue after the fixed version was available.

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

JFrog Ltd. published this content on 16 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 November 2021 01:26:06 UTC.