CVE-2024-2912: BentoML Insecure Deserialization RCE Flaw

CVE-2024-2912 Overview

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.

Critical Impact

Remote attackers can achieve full server compromise through arbitrary command execution without authentication, potentially leading to complete system takeover, data theft, and lateral movement within the network.

Affected Products

• BentoML Framework (versions prior to security patch)

Discovery Timeline

• 2024-04-16 - CVE CVE-2024-2912 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-2912

Vulnerability Analysis

This insecure deserialization vulnerability (CWE-1188: Insecure Default Initialization of Resource) in the BentoML framework allows unauthenticated attackers to achieve remote code execution through the network. The vulnerability requires no user interaction and can affect resources beyond the security scope of the vulnerable component, making it particularly dangerous for organizations deploying machine learning models via BentoML.

The exploitation mechanics involve crafting a malicious serialized object that, when processed by the BentoML endpoint, executes attacker-controlled operating system commands. Since BentoML is commonly used for serving machine learning models, affected deployments are often internet-facing, significantly increasing the attack surface.

Root Cause

The root cause of this vulnerability lies in the insecure handling of serialized data within the BentoML framework. The application fails to properly validate or sanitize incoming serialized objects before deserializing them, allowing maliciously crafted payloads to execute arbitrary code during the deserialization process. This is a classic insecure deserialization pattern where untrusted data is passed directly to deserialization functions without adequate security controls.

Attack Vector

The attack vector is network-based and does not require authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted POST request containing a malicious serialized object to any valid BentoML endpoint. Upon deserialization, the payload triggers the execution of embedded OS commands with the privileges of the BentoML process.

The vulnerability affects any BentoML endpoint that accepts and processes serialized data, making the entire API surface potentially exploitable. Attackers can leverage this to establish reverse shells, exfiltrate sensitive data including ML model weights and training data, or pivot to other systems within the network.

Detection Methods for CVE-2024-2912

Indicators of Compromise

• Unusual POST requests to BentoML endpoints containing suspicious serialized payloads or pickle objects
• Unexpected child processes spawned by the BentoML service (e.g., shell interpreters like /bin/sh, /bin/bash, cmd.exe)
• Anomalous outbound network connections from the server hosting BentoML
• Unexpected file system modifications or new files created by the BentoML process

Detection Strategies

• Implement deep packet inspection to identify malicious serialized objects in HTTP POST requests targeting BentoML endpoints
• Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process execution chains originating from Python/BentoML processes
• Configure application-layer firewalls to inspect and block requests containing potentially malicious serialization patterns

Monitoring Recommendations

• Enable detailed logging for all BentoML API endpoints and monitor for anomalous request patterns
• Set up alerts for process creation events where BentoML spawns unexpected child processes
• Monitor network traffic for unusual outbound connections from ML serving infrastructure
• Implement file integrity monitoring on servers hosting BentoML deployments

How to Mitigate CVE-2024-2912

Immediate Actions Required

• Update BentoML to the patched version immediately by applying commit fd70379733c57c6368cc022ac1f841b7b426db7b or a later release
• Audit all BentoML deployments within your environment and inventory affected systems
• Implement network segmentation to limit exposure of BentoML services to trusted networks only
• Review server logs for any signs of prior exploitation attempts

Patch Information

The BentoML development team has addressed this vulnerability through a security commit on GitHub. Organizations should update their BentoML installations to include this fix. Additional details about the vulnerability discovery can be found in the Huntr bounty report.

Workarounds

• Restrict network access to BentoML endpoints using firewalls and access control lists, allowing only trusted sources
• Implement a reverse proxy with request filtering to inspect and sanitize incoming requests before they reach BentoML
• Disable or remove any unnecessary BentoML endpoints until the patch can be applied
• Consider running BentoML in a containerized environment with minimal privileges and network isolation

# Example: Restricting access to BentoML with iptables
# Allow only trusted internal network to access BentoML service
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP