Meta's Llama Framework Vulnerability Exposes AI Systems to Remote Code Execution Threats

Meta’s Llama large language model (LLM) framework is facing a significant security challenge as researchers uncovered a high-severity vulnerability capable of enabling remote code execution (RCE). This flaw could allow attackers to execute arbitrary code on the Llama-Stack inference server, posing a critical risk to AI systems relying on the framework.

CVE-2024-50050: Key Details

The vulnerability, tracked as CVE-2024-50050, has been assigned a CVSS score of 6.3 by official sources, while Snyk, a supply chain security firm, rated it as critical with a score of 9.3.

The core issue lies in the deserialization of untrusted data within the Llama-Stack component. According to Oligo Security researcher Avi Lumelsky:

 

“An attacker can exploit this vulnerability by sending malicious data that is deserialized, leading to arbitrary code execution.”

Llama Stack, a set of API interfaces enabling the use of Meta’s Llama models in AI applications, relies on Python's pickle module for deserialization. However, pickle is known for its inherent security risks when handling untrusted or malicious data.

In scenarios where the ZeroMQ socket is network-exposed, attackers can send specially crafted malicious objects to the socket. The recv_pyobj function automatically unpickles these objects, allowing an attacker to gain control over the host system.

Patch and Mitigation Efforts

Meta addressed this vulnerability following responsible disclosure on September 24, 2024, with a patch released on October 10, 2024, in version 0.0.41. To mitigate the risk, Meta replaced the pickle serialization format with JSON, significantly reducing the likelihood of RCE.

Additionally, the flaw has been fixed in pyzmq, a Python library facilitating ZeroMQ messaging.

Recurring Security Risks in AI Frameworks

This incident is part of a larger trend of deserialization vulnerabilities in AI frameworks. For instance, in August 2024, Oligo Security identified a bypass for CVE-2024-3660 in TensorFlow’s Keras framework, resulting in a CVSS 9.8 severity rating. These flaws underline the persistent risks AI frameworks face due to unsafe serialization practices.

Broader Implications for AI Security

The discovery also coincides with a separate vulnerability disclosed by security researcher Benjamin Flesch in OpenAI's ChatGPT. This flaw could enable a DDoS attack against websites by exploiting incorrect handling of HTTP POST requests.

When triggered, the ChatGPT crawler could flood a target site with thousands of duplicate HTTP requests, effectively overwhelming its resources. OpenAI has since patched this issue.

Moreover, a report from Truffle Security highlights that AI-powered coding assistants often recommend hard-coding sensitive information like API keys, exacerbating security risks in software projects.

The Evolving Cyber Threat Landscape with LLMs

As LLMs continue to grow in sophistication, their integration into cyberattacks is becoming increasingly prevalent. Mark Vaitzman of Deep Instinct explains:

“LLMs are not a revolution but an evolution of cyber threats, enabling faster, more accurate attacks at a larger scale. These models can be integrated into every phase of the attack lifecycle.”

Security researchers are also exploring methods like ShadowGenes and ShadowLogic to analyze LLM architectures and genealogy, helping organizations better understand and secure their AI infrastructures.

Strengthening AI Security Posture

Understanding the vulnerabilities in AI frameworks is critical to mitigating risks. Organizations must stay vigilant by implementing timely updates, leveraging secure coding practices, and regularly auditing their AI ecosystems.