Generative AI frameworks, including Meta’s Llama, have been found vulnerable to remote code execution (RCE) attacks due to improper Python deserialization practices. A recently discovered flaw highlights how open-source coding oversights can expose servers to significant security risks, including resource theft, data breaches, and unauthorized AI model manipulation.
The Vulnerability: CVE-2024-50050
The flaw, identified as CVE-2024-50050, is a critical deserialization bug stemming from the unsafe use of the open-source library pyzmq within Meta’s large language model (LLM) framework. Researchers from Oligo uncovered this vulnerability in Meta’s Llama Stack, an open-source framework designed for building and deploying generative AI applications.
According to Oligo’s security experts, CVE-2024-50050 allows attackers to execute arbitrary code remotely on the inference server. This could lead to severe consequences, such as unauthorized access to sensitive data or even complete system takeover.
How the Vulnerability Works
The root of the issue lies in the use of Python’s pickle module for serialization and deserialization within Llama Stack’s inference API. Pickle is inherently risky as it can execute arbitrary code during deserialization when handling untrusted data. In this case, attackers could exploit exposed pyzmq implementations by sending carefully crafted malicious objects over network sockets.
When these objects are unpickled by the server, attackers gain the ability to execute arbitrary commands on the host machine. This flaw is particularly concerning for organizations using Llama Stack for integrating their machine learning models into application pipelines.
Oligo researchers explained that this vulnerability arises from a broader pattern of unsafe practices across several open-source AI frameworks that rely on pyzmq for messaging purposes.
Meta’s Response and Mitigation Efforts
After Oligo reported the vulnerability on September 29, 2024, Meta acted swiftly to address the issue. On October 10, 2024, Meta released a patched version (0.0.41) of Llama Stack on PyPi and transitioned its serialization format from pickle to JSON for socket communication. JSON is considered safer as it does not allow arbitrary code execution during deserialization.
Meta officially assigned CVE-2024-50050 a medium severity rating with a CVSS score of 6.3 on October 24, 2024. However, security experts have questioned this assessment, arguing that the nature of the vulnerability warrants a higher severity score due to its potential impact.
Disputed Severity Ratings
While Meta rated the vulnerability as medium severity, other security firms have classified it as critical. Snyk assigned CVSS scores of 9.3 under version 4.0 and 9.8 under version 3.1, reflecting the significant risk posed by this flaw.
Oligo also expressed concerns about Meta potentially understating the criticality of the issue. As of now, the vulnerability is awaiting further analysis by the National Vulnerability Database (NVD), which is managed by the US National Institute of Standards and Technology (NIST).
Implications for Open-Source AI Frameworks
This incident underscores an ongoing challenge within open-source AI frameworks—ensuring secure implementation practices while leveraging powerful libraries like pyzmq. The improper use of serialization tools like pickle can create exploitable vulnerabilities that attackers may leverage for malicious purposes.
Organizations using open-source frameworks like Llama must remain vigilant about potential security flaws and apply patches promptly when vulnerabilities are disclosed.
By addressing this critical flaw in its framework and transitioning to safer serialization methods, Meta has taken an essential step toward improving security in generative AI applications. However, this incident serves as a reminder of the importance of robust coding practices and proactive vulnerability management in safeguarding AI systems against evolving threats.
Read more such articles from our Newsletter here.
