2025-01-30 20:45:54 Pacfic
Meta Llama Framework Remote Code Execution - 3d
A critical vulnerability has been discovered in Meta's Llama framework, a popular open-source tool for developing generative AI applications. This flaw, identified as CVE-2024-50050, allows remote attackers to execute arbitrary code on servers running the Llama-stack framework. The vulnerability arises from the unsafe deserialization of Python objects via the 'pickle' module, which is used in the framework's default Python inference server method 'recv_pyobj'. This method handles serialized data received over network sockets, and due to the inherent insecurity of 'pickle' with untrusted sources, malicious data can be crafted to trigger arbitrary code execution during deserialization. This risk is compounded by the framework's rapidly growing popularity, with thousands of stars on GitHub.
The exploitation of this vulnerability could lead to various severe consequences, including resource theft, data breaches, and manipulation of the hosted AI models. Attackers can potentially gain full control over the server by sending malicious code through the network. The pyzmq library, which Llama uses for messaging, is a root cause as its 'recv_pyobj' method is known to be vulnerable when used with untrusted data. While some sources have given the flaw a CVSS score of 9.3, others have given it scores as low as 6.3 out of 10.
ImgSrc: blogger.googleusercontent.com
References:
- CISO2CISO.COM & CYBER SECURITY GROUP - Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com - 3d
- gbhackers.com - Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code - 3d
- ciso2ciso.com - Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com - 3d
- @jos1264 - Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code /vulnerability - 3d
- @jos1264 - Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com - 3d
- ciso2ciso.com - A pickle in Meta’s LLM code could allow RCE attacks – Source: www.csoonline.com - 2d
- GBHackers Security | #1 Globally Trusted Cyber Security News Platform - Further details and analysis of CVE-2024-50050 - 2d
- CISO2CISO.COM & CYBER SECURITY GROUP - A pickle in Meta’s LLM code could allow RCE attacks - 2d
Classification:
- HashTags: MetaLlama RCE AIsecurity
- Company: Meta
- Target: Llama Framework Users
- Product: Llama
- Feature: deserialization
- Type: Vulnerability
- Severity: Major