Adversarial Robustness Toolbox Insecure Deserialization Vulnerability in Kubeflow Component Allowing Remote Code Execution

A vulnerability allowing insecure deserialization has been identified in the Adversarial Robustness Toolbox (ART) version 1.20.1 and prior, specifically within the Kubeflow component's model loading feature. This vulnerability arises because the code uses torch.load() to load model weights from a file, such as model.pt, without the necessary security parameter, weights_only=True. As a result, arbitrary Python objects can be deserialized using the Pickle module. An attacker could exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline or by manipulating the model_id parameter to point to such a file. When the pipeline loads the model, the embedded malicious payload is executed, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the Adversarial Robustness Toolbox is running.

Reproduction

To reproduce this vulnerability, upload a maliciously crafted model file to an object storage location that the Kubeflow pipeline can access. Ensure that the model_id parameter points to this file. When the pipeline is executed, it will load the model using the vulnerable torch.load() function, without the security-restrictive weights_only=True parameter, allowing the execution of the malicious payload.

Remediation

Users are advised to update to Adversarial Robustness Toolbox version 1.20.2 or later, where this vulnerability has been addressed.