GuanxingLu vlarl Remote Code Execution Vulnerability in ZeroMQ Reasoning Server

A remote code execution vulnerability has been identified in GuanxingLu vlarl versions prior to 31abc0baf53ef8f5db666a1c882e1ea64def2997. The issue arises in the function 'experiments.robot.bridge.reasoning_server::run_reasoning_server' within the file 'experiments/robot/bridge/reasoning_server.py'. The vulnerability is caused by unsafe deserialization of messages using 'pickle.loads', which allows attackers to execute arbitrary code on the host system. This vulnerability is present in a component that follows a rolling release approach, so specific version details for affected or updated releases are not available.

Impact

Exploitation of this vulnerability allows for remote execution of arbitrary code on the server, potentially leading to a complete compromise of the system. Such an attack could result in unauthorized access to data, disruption of services, deployment of ransomware, or further attacks on internal networks.

Reproduction

To reproduce this vulnerability, start the server by running 'python3 experiments/robot/bridge/reasoning_server.py'. Then, send a malicious payload using a ZeroMQ request socket. The payload should be crafted to exploit the deserialization vulnerability by including a command to be executed on the server, such as one that uses 'os.system' to run a command.

Remediation

It is recommended to avoid using 'pickle' for deserialization of untrusted data. Instead, use a safer serialization format like JSON or MessagePack, and validate all inputs rigorously.