MLflow Temporary Directory World-Writable Permission Vulnerability Allowing Arbitrary Code Execution

A vulnerability in MLflow version 2.20.3 allows for arbitrary code execution due to insecure world-writable permissions (0o777) assigned to the temporary directory used for creating Python virtual environments. This issue enables an attacker with write access to the '/tmp' directory to exploit a race condition, overwriting '.py' files in the virtual environment, which are executed when the environment is used. The vulnerability has been fixed in version 3.4.0.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with an attacker gaining the ability to execute arbitrary code on the system.

Reproduction

The vulnerability can be reproduced by creating a Python virtual environment in MLflow 2.20.3, which will be placed in a temporary directory with world-writable permissions. An attacker can then overwrite Python files in this environment, such as 'bin/activate' or any module in 'site-packages', with malicious code that will be executed when the environment is used. This can be automated with a script that monitors for vulnerable directories and injects the payload.

Remediation

Users are advised to update to MLflow version 3.4.0 or later, where this vulnerability has been fixed.