Recent cybersecurity findings have revealed two significant vulnerabilities within Google’s Vertex AI machine learning platform. These exploits could be leveraged by malicious entities to escalate user privileges and exfiltrate sensitive models directly from the cloud environment.
According to an analysis released by researchers from Palo Alto Networks Unit 42, exploiting specific custom job permissions allowed them to elevate their access, ultimately compromising all data services linked to the project. The researchers, Ofir Balassiano and Ofir Shaty, emphasized the dangers posed by deploying a poisoned model within Vertex AI, as this would enable attackers to exfiltrate all other fine-tuned models, representing a serious threat to proprietary and sensitive information.
For context, Vertex AI serves as Google’s comprehensive platform for training and deploying tailored machine learning models and applications on a large scale, having been introduced in May 2021.
Central to the privilege escalation tactic is the Vertex AI Pipelines feature, which enables users to automate and monitor machine learning operations (MLOps) workflows. The Unit 42 research highlights that by altering the custom job pipeline configurations, attackers can gain unauthorized access to restricted resources. This is achieved by running a specially crafted custom job that executes a reverse shell, thus providing a backdoor into the environment.
According to the findings, the custom job operates under a service agent account within a tenant project, which possesses extensive permissions to catalog all service accounts, manage storage solutions, and access BigQuery tables. This elevated access can be exploited to infiltrate internal Google Cloud repositories and retrieve images.
The second identified vulnerability pertains to deploying a malicious model that, upon being activated at an endpoint, creates a reverse shell. Attackers can then exploit the read-only permissions of the “custom-online-prediction” service account to scan Kubernetes clusters and procure their credentials, allowing them to execute arbitrary commands using kubectl.
The researchers pointed out that this lateral movement from Google Cloud Platform (GCP) to Kubernetes was enabled due to existing linkages between permissions via IAM Workload Identity Federation. This access can ultimately be utilized to view newly created images within the Kubernetes cluster and obtain the image digest, thus enabling attackers to extract the image outside of its container using the authentication token associated with the affected service account.
Moreover, malicious models could be weaponized to access and export all large language models and their associated fine-tuned adapters, significantly amplifying the risk, particularly if a developer unwittingly deploys a trojanized model from a public repository. Such an incident would enable a threat actor to exfiltrate a wide spectrum of machine learning and fine-tuned models. Following responsible disclosure practices, Google has addressed both vulnerabilities.
The implications of this research underscore how a single malevolent model deployment could jeopardize a whole AI ecosystem. An attacker could exploit even a solitary unverified model within a production environment to exfiltrate sensitive data, leading to severe breaches involving model exfiltration.
In light of these developments, organizations are urged to institute stringent controls over model deployments and conduct thorough audits of the permissions required for deploying models in tenant projects.
Concurrently, Mozilla’s 0Day Investigative Network has unveiled that an interactive connection with OpenAI’s ChatGPT sandbox environment may be achieved through tailored prompts, allowing individuals to upload and execute Python scripts, transfer files, and even download components of the LLM’s framework. OpenAI regards these interactions as expected behaviors within the sandbox’s confines, asserting that such activities are designed to remain within its secure boundaries.
Security researcher Marco Figueroa stressed the importance of understanding that operations within the containerized environment are intended features rather than security vulnerabilities. Activities related to knowledge extraction, file uploads, and code execution are permissible as long as they do not breach the invisible parameters of the sandbox.
