Full Report
A high-severity security flaw has been disclosed in Meta's Llama large language model (LLM) framework that, if successfully exploited, could allow an attacker to execute arbitrary code on the llama-stack inference server. The vulnerability, tracked as CVE-2024-50050, has been assigned a CVSS score of 6.3 out of 10.0. Supply chain security firm Snyk, on the other hand, has assigned it a
Analysis Summary
# Vulnerability: Arbitrary Code Execution in Meta Llama Stack via Pickle Deserialization
## CVE Details
- CVE ID: CVE-2024-50050
- CVSS Score: 6.3 (Medium) (Note: Snyk assigned a severity rating of 9.3, indicating Criticality)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: meta-llama (specifically the Llama Stack reference Python Inference API implementation)
- Versions: Versions prior to `0.0.41`
- Configurations: Systems where the ZeroMQ socket is exposed over the network.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw residing in the Llama Stack component. The reference Python Inference API implementation automatically deserializes Python objects using the `pickle` protocol when processing data received over a ZeroMQ socket (`recv_pyobj`). Since `pickle` is inherently unsafe when handling untrusted data, an attacker sending specially crafted, malicious serialized Python objects over the exposed ZeroMQ socket can force server-side deserialization, leading to arbitrary code execution on the host machine.
## Exploitation
- Status: PoC available (Analysis published, implying exploitability)
- Complexity: Low (Sending crafted data over an exposed socket)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary code execution allows access to system data)
- Integrity: High (Arbitrary code execution allows data modification/system compromise)
- Availability: High (Arbitrary code execution can lead to system shutdown or denial of service)
## Remediation
### Patches
- **llama-stack:** Update to version `0.0.41` or later.
- **pyzmq:** The underlying library dependency has also been remediated.
### Workarounds
- Do not expose the ZeroMQ socket over the network.
- Migrate serialization format from `pickle` to a safer alternative (Meta switched to JSON in the fix).
## Detection
- **Indicators of Compromise (IoCs):** Network traffic containing unusual or large serialized Python objects destined for the ZeroMQ socket endpoint.
- **Detection Methods and Tools:** Monitoring network traffic targeting ZeroMQ ports for unexpected payload contents or deserialization events within the Llama Stack application logs.
## References
- Vendor Advisories: [Relevant GitHub Pull Request Fixing Issue](https://github.com/meta-llama/llama-stack/pull/232)
- Relevant Links:
- [NVD Entry for CVE-2024-50050](https://nvd.nist.gov/vuln/detail/CVE-2024-50050)
- [Snyk Vulnerability Report](https://security.snyk.io/vuln/SNYK-PYTHON-LLAMASTACK-8302915)
- [Oligo Security Analysis](https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack)