A significant security vulnerability has been identified within Meta’s Llama large language model (LLM) framework. This flaw, if effectively exploited, may enable an attacker to execute arbitrary code on the llama-stack inference server. Known as CVE-2024-50050, this vulnerability has received a CVSS score of 6.3 out of 10 from the National Vulnerability Database, while Snyk, a supply chain security firm, has categorized it as critically severe with a rating of 9.3.
The analysis by Oligo Security’s researcher, Avi Lumelsky, indicates that vulnerable versions of the meta-llama framework are at risk due to the deserialization of untrusted data. An attacker can exploit this weakness by sending malicious data to be deserialized, resulting in arbitrary code execution. This issue is connected to a component called Llama Stack, which provides API interfaces for artificial intelligence application development.
The vulnerability pertains specifically to a remote code execution (RCE) flaw within the reference Python Inference API implementation. It uses the pickle format for automatic deserialization of Python objects, a method recognized for its risks associated with executing arbitrary code when processing untrusted or malicious data.
Lumelsky elaborates that in situations where the ZeroMQ socket is exposed, attackers could exploit this vulnerability by sending malcrafted objects, potentially achieving RCE on the host machine due to the automatic unpickling of input data.
The matter was responsibly disclosed on September 24, 2024, and Meta implemented a fix on October 10, 2024, in version 0.0.41. The issue has also been addressed in pyzmq, which facilitates access to the ZeroMQ messaging library. In a related advisory, Meta confirmed that the remote code execution risk was mitigated simply by transitioning away from using pickle as a serialization format for socket communications, opting instead for JSON.
This incident highlights a broader concern regarding deserialization vulnerabilities in AI frameworks, as evidenced by a recent analysis revealing a critical risk in TensorFlow’s Keras framework, identified as CVE-2024-3660. Additionally, a related vulnerability was disclosed affecting OpenAI’s ChatGPT crawler, which could potentially facilitate distributed denial-of-service (DDoS) attacks on arbitrary websites.
This specific flaw resulted from improper handling of HTTP POST requests to the “chatgpt[.]com/backend-api/attributions” API, allowing attackers to flood the system with multiple requests, leading to potential DDoS amplification. Security researchers are raising alarms about the security implications of such vulnerabilities, especially given the potential for these AI tools to be co-opted in cyber-attack strategies.
As cyber threats evolve, what stands out is their growing sophistication. The MITRE ATT&CK framework underscores this, pinpointing potential adversary tactics and techniques that include initial access, exploitation of vulnerabilities, and establishing persistence or command-and-control mechanisms. Professionals in the cybersecurity field must remain vigilant and proactive in addressing these risks, given the increasing role of AI technologies in attacks.
As the landscape of cybersecurity continues to evolve, being informed and prepared is critical. Organizations must understand both the risks posed by vulnerabilities such as CVE-2024-50050 and the broader implications of AI’s integration into their systems. This knowledge is the foundation for developing more robust security postures in an increasingly interconnected and technology-driven world.
