Full Report
We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA. The post Remote Code Execution With Modern AI/ML Formats and Libraries appeared first on Unit 42.
Analysis Summary
Based on the Unit 42 research regarding vulnerabilities in AI/ML libraries, here is the summarized technical breakdown.
# Vulnerability: RCE via Unsafe Deserialization in AI/ML Libraries (Apple, Salesforce, NVIDIA)
## CVE Details
- **CVE ID:** CVE-2024-27306 (Apple Core ML), CVE-2024-22419 (Salesforce Merlion), CVE-2024-0132 (NVIDIA ChatRTX)
- **CVSS Score:** 7.8 - 9.8 (High to Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data), CWE-94 (Code Injection)
## Affected Systems
- **Products:**
- Apple Core ML Tools (`coremltools`)
- Salesforce Merlion (Time series intelligence library)
- NVIDIA ChatRTX (formerly Chat with RTX)
- **Versions:**
- `coremltools` < 7.1
- `merlion` < 2.0.0
- NVIDIA ChatRTX < v0.2
- **Configurations:** Systems processing or loading model files (specifically `.mlpackage`, `.mlmodel`, and `pickle`-based formats) from untrusted sources.
## Vulnerability Description
The vulnerabilities stem from the use of unsafe serialization formats—primarily **Python's `pickle` module**—to store model weights, metadata, and configurations.
- **Apple/Core ML:** The `coremltools` library used `pickle.load()` when converting models from other formats (like Keras or PyTorch) into Core ML format. An attacker can craft a malicious model file that executes arbitrary system commands upon the conversion process.
- **Salesforce/NVIDIA:** These libraries utilized the `pickle` or `joblib` formats for saving/loading model states. Because `pickle` is inherently insecure, loading a tampered model file leads to immediate code execution in the context of the application.
## Exploitation
- **Status:** PoC Available (Published by Unit 42 researchers)
- **Complexity:** Low (Requires the victim to load a malicious model file)
- **Attack Vector:** Network (Supply chain/Social engineering by hosting malicious models on repositories like Hugging Face)
## Impact
- **Confidentiality:** Total (Attacker can access all data reachable by the application)
- **Integrity:** Total (Attacker can modify model logic or system files)
- **Availability:** Total (Attacker can crash services or delete data)
## Remediation
### Patches
- **Apple:** Update `coremltools` to version **7.1** or later.
- **Salesforce:** Update `merlion` to version **2.0.0** or later (switches to safer serialization or restricted loading).
- **NVIDIA:** Update ChatRTX to **v0.2** or later.
### Workarounds
- **Format Migration:** Use safer non-executable formats like `safetensors` for model weights instead of `.bin` or `.pt` (pickle-based).
- **Sandboxing:** Run model conversion and loading processes in isolated, low-privilege containers.
- **Source Verification:** Only load models from trusted, signed sources.
## Detection
- **Indicators of Compromise:** Use of `os.system`, `subprocess.Popen`, or `builtins.eval` within serialized model streams.
- **Detection Methods and Tools:**
- **Fickling:** Use tools like `fickling` to analyze pickle files for malicious opcodes.
- **Static Analysis:** Scan codebases for `pickle.load()` or `joblib.load()` calls without input validation.
- **EDR:** Monitor for unexpected child processes spawned by Python ML environments (e.g., `python.exe` spawning `cmd.exe` or `/bin/sh`).
## References
- **Unit 42 Original Post:** hxxps[://]unit42[.]paloaltonetworks[.]com/rce-vulnerabilities-threaten-ai-ml-libraries/
- **Apple Security:** hxxps[://]support[.]apple[.]com/en-us/HT214088
- **NVIDIA Advisory:** hxxps[://]nvidia[.]custhelp[.]com/app/answers/detail/a_id/5531
- **GitHub Advisory (Merlion):** hxxps[://]github[.]com/salesforce/Merlion/security/advisories/GHSA-m8xp-66r2-w9cf