KTransformers Unauthenticated Remote Code Execution via Unsafe Pickle Deserialization in ZMQ Scheduler

A remote code execution vulnerability has been identified in KTransformers versions through 0.5.3. The issue arises in the 'balance_serve' backend mode, where the scheduler RPC server exposes a ZMQ ROUTER socket to all network interfaces without authentication. Incoming messages are deserialized using 'pickle.loads()' without any validation, allowing attackers to send crafted pickle payloads that execute arbitrary code on the server with the privileges of the KTransformers process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where KTransformers is running.

Reproduction

To reproduce this vulnerability, deploy KTransformers with the 'balance_serve' backend type, which activates the vulnerable ZMQ ROUTER socket. The server will bind to a random port on all interfaces, exposing the socket without authentication. After the server starts, the assigned port can be found in the server logs or by scanning the ephemeral port range for ZMQ sockets. Once the port is identified, an attacker can send a crafted pickle payload to the ZMQ socket, which will be deserialized by a worker thread, leading to remote code execution.

Remediation

Users can update to KTransformers version 0.5.4 or later, where this vulnerability has been fixed. The official GitHub repository contains the patched version.