Remote Code Execution on Local System via MLproject YAML File

Products Impacted

This vulnerability was introduced in version 1.11.0 of MLflow.

CVSS Score: 8.8

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE Categorization

CWE-94: Improper Control of Generation of Code (‘Code Injection’).

Details

The vulnerability exists within the ML Project run procedure in the  _run_entry_point function, within the projects/backend/local.py file.

def _run_entry_point(command, work_dir, experiment_id, run_id):
	...
	if os.name != "nt":
    		process = subprocess.Popen(["bash", "-c", command], close_fds=True, cwd=work_dir, env=env)
	else:
    		process = subprocess.Popen(["cmd", "/c", command], close_fds=True, cwd=work_dir, env=env)

An attacker can exploit this by creating an MLflow Project where the MLproject main entrypoint command contains arbitrary code (or an operating system appropriate command). The attacker could share this project with a victim, and when the victim runs mlflow run. from within the recipe directory, the code will be executed on the victim machine.

An example MLproject file:

name: RecipeTestingProject

conda_env: conda.yaml

entry_points:
	main:
    		command: "python -c 'import os; os.system(\"ping -c 4 8.8.8.8\")'"