Horovod Unauthenticated Remote Code Execution Vulnerability in ElasticRendezvousHandler

A remote code execution vulnerability has been identified in Horovod versions through v0.28.1. This issue arises from improper handling of base64-encoded data in the ElasticRendezvousHandler, a subclass of KVStoreHandler. The vulnerability allows an attacker to send a malicious pickle object via a PUT request, which is then deserialized and executed on the server, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Horovod is running, giving an attacker full control over the system. This could lead to unauthorized access to sensitive data, modification or deletion of important files, installation of malware, or further attacks on the network.

Reproduction

The vulnerability can be reproduced by running a Horovod HTTP server that uses the ElasticRendezvousHandler. Once the server is running and listening for PUT requests, a base64-encoded malicious pickle object can be sent via a PUT request to the server. The server will then deserialize the pickle object, executing any embedded commands. This vulnerability can also be reproduced by using the 'horovodrun' command with a custom host discovery script that activates the HTTP module, allowing the PUT request to be processed by the vulnerable handler.