CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Artificial Intelligence·Vulnerabilities

Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft

A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution. The post Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft appeared first on SecurityWeek.

A critical-severity vulnerability in the PyTorch machine learning library could be exploited for remote code execution.

Impacting the distributed RPC (Remote Procedure Call) framework of PyTorch and tracked as CVE-2024-5480, the issue exists because the framework does not verify the functions called during RPC operations.

The framework is used in distributed training scenarios and the flaw can be exploited for arbitrary command execution during multi-cpu RPC communication, by abusing built-in Python functions.

“The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation,” a NIST advisory reads.

Bug bounty platform for AI and ML Huntr explains that, when the distributed RPC framework is used for multi-cpu RPC communication, worker nodes can use specific functions to serialize and package functions and tensors into a PythonUDF that is then sent to the master node.

“Master deserializes the received PythonUDF data and calls the _run_function. This allows the worker to execute the specified function, but since there is no restriction on function calls, it can lead to remote code execution by calling built-in Python functions like eval,” Huntr explains.

Remote attackers can exploit the vulnerability to compromise master nodes that are initiating the distributed training, which could result in the theft of sensitive data related to AI.

CVE-2024-5480, which has been assessed with a CVSS score of 10, was reported on April 12 and impacts PyTorch version 2.2.2 and prior. The latest iteration of the machine learning library is currently version 2.3.1.

The researcher who reported the vulnerability received a $1,500 bug bounty reward for the finding.

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Progress Patches Critical Vulnerability in Telerik Report Server

Related: CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability

Latest News

CYBERNEWSMEDIAPublisher