Milvus Remote Expression Execution Vulnerability

A remote expression execution vulnerability has been identified in Milvus versions through 2.6.7. The issue arises in the HTTP endpoint '/expr', specifically within the 'pkg/util/expr/expr.go' file. The vulnerability allows for deserialization of user-provided expressions, which can be exploited remotely. When the endpoint is accessible and its authentication secret is weak or known, an attacker could execute arbitrary expression logic. This exploitation could lead to unauthorized access to internal configuration or state, manipulation of runtime settings, or denial-of-service conditions by causing excessive resource consumption.

Impact

Exploitation of this vulnerability allows for remote expression execution on the server. Depending on the capabilities exposed in the expression environment, this could lead to unauthorized information disclosure, unauthorized modification of runtime configurations, denial-of-service conditions through resource exhaustion, or further escalation if file or network primitives become accessible.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/expr' endpoint with a crafted 'code' parameter that exploits the deserialization vulnerability. The 'auth' parameter must also be included, using the default value derived from the 'etcd.rootPath' configuration, which is 'by-dev'. This can be done using tools like curl or through a web application that interacts with the Milvus server.

Remediation

Users are advised to disable the '/expr' endpoint by default or remove it in production builds. The internal HTTP server should be configured to only accept requests from localhost or be protected by firewall rules. Additionally, the authentication mechanism should be strengthened by using a high-entropy token instead of the default etcd.rootPath value. After applying these changes, the endpoint should be tested to ensure that the vulnerability has been effectively mitigated.