Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft.
Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain, says Protect AI, which manages Huntr.
A low-code machine learning platform, H2O-3 supports the creation and deployment of ML models via a web interface, by just importing data. It allows users to upload Java objects remotely via API calls.
By default, the installation is exposed to the network and does not require authentication, thus allowing attackers to supply malicious Java objects that H2O-3 would execute, allowing them to access the operating system.
Tracked as CVE-2023-6016 (CVSS score of 10), the remote code execution (RCE) vulnerability could allow attackers to completely take over the server and steal models, credentials, and other data.
The bug hunters uncovered two other critical issues in the low-code service, namely a local file include flaw (CVE-2023-6038) and a cross-site scripting (XSS) bug (CVE-2023-6013), along with a high-severity S3 bucket takeover vulnerability (CVE-2023-6017).
MLflow, an open-source platform for the management of the end-to-end ML lifecycle, also lacks authentication by default, and the researchers identified four critical vulnerabilities in it.
The most severe of these are arbitrary file write and patch traversal bugs (CVE-2023-6018 and CVE-2023-6015, CVSS score of 10) that can allow an unauthenticated attacker to overwrite arbitrary files on the operating system and achieve RCE.
The tool was also found vulnerable to critical-severity arbitrary file inclusion (CVE-2023-1177) and authentication bypass (CVE-2023-6014) vulnerabilities.
The Ray project, an open-source framework for the distributed training of ML models, also lacks default authentication.
A critical code injection flaw in Ray’s cpu_profile format parameter (CVE-2023-6019, CVSS score of 10) could lead to full system compromise. The parameter was not validated before being inserted in a system command that was executed in a shell.
The bug hunters also identified two critical local file include issues that could allow remote attackers to read any files on the Ray system. The security defects are tracked as CVE-2023-6020 and CVE-2023-6021.
All vulnerabilities were reported to vendors at least 45 days prior to public disclosure. Users are advised to update their installations to the latest non-vulnerable versions and restrict access to the applications where patches are not available.