A recent analysis by cybersecurity researchers has identified nearly two dozen critical vulnerabilities across 15 popular machine learning (ML) open-source projects. These vulnerabilities, impacting both server-side and client-side operations, pose significant risks, according to findings from security firm JFrog. This discovery exposes ML tools to potential server hijacks, privilege escalation, and extensive data compromise, raising red flags for organizations relying on these toolkits.
Key Findings
The JFrog analysis reveals that these vulnerabilities, present in ML tools like Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, can be categorized into several attack vectors, including:
- Remote Hijacking of Model Registries: Unauthorized access to key ML databases and pipelines.
- ML Database Compromise: Server-side vulnerabilities enabling data access.
- Pipeline Takeovers: Malicious control over ML workflows.
Detailed Vulnerability Breakdown
CVE-2024-7340 – Directory Traversal in Weave (CVSS 8.8):
A vulnerability allowing low-privileged users to read files across the filesystem, granting them admin-level privileges by accessing sensitive files (addressed in version 0.50.8).ZenML Access Control Issue:
An improper access control flaw that lets users escalate their privileges from viewer to admin within ZenML's MLOps framework, risking unauthorized data access in the Secret Store.CVE-2024-6507 – Command Injection in Deep Lake (CVSS 8.1):
A lack of input sanitization allows attackers to inject commands during remote dataset uploads (fixed in version 3.9.11).CVE-2024-5565 – Prompt Injection in Vanna.AI (CVSS 8.1):
A prompt injection vulnerability that could enable remote code execution on host systems, exploiting the model’s input channels.CVE-2024-45187 – Privilege Misassignment in Mage AI (CVSS 7.1):
An error in privilege assignment allows guest users remote code execution privileges, maintaining access for up to 30 days.Multiple Path Traversal Flaws in Mage AI (CVSS 6.5):
CVEs 2024-45188, 2024-45189, and 2024-45190, these vulnerabilities let users with "Viewer" roles access arbitrary text files on the Mage server, risking unauthorized data exposure.
Implications of These Vulnerabilities
JFrog emphasizes the criticality of securing MLOps pipelines as they often have privileged access to ML datasets, training, and publishing. Exploiting these flaws could allow attackers to compromise sensitive data, potentially leading to backdoored models or poisoned datasets.
Emerging Defensive Techniques: The "Mantis" Framework
This discovery aligns with recent efforts to counter cyberattacks on machine learning models. Notably, the Mantis framework has been developed by researchers at George Mason University. Mantis uses prompt injection to disrupt attackers’ operations, employing passive and active defenses that could potentially compromise attackers' systems. By leveraging decoy services and dynamic prompts, Mantis autonomously "hacks back," defending vulnerable systems from ML-targeted attacks.
Conclusion
With machine learning increasingly integrated across industries, the need to address these vulnerabilities is urgent. Security measures, especially within MLOps pipelines, must adapt to these sophisticated threats to safeguard data and maintain operational integrity.