Open Neural Network Exchange External Data Attribute Injection Vulnerability Leading to Object Corruption and Denial-of-Service

A vulnerability in the Open Neural Network Exchange (ONNX) library, specifically in versions prior to 1.21.0, allows for attribute injection into the ExternalDataInfo class. This issue arises because the class used Python's setattr() function to load metadata from ONNX model files without validating the keys. As a result, an attacker could craft a malicious model that overwrites internal object properties, leading to potential object corruption and denial-of-service conditions. The vulnerability is triggered when the ONNX library processes external data attributes in TensorProto objects, during model loading operations.

Impact

Exploitation of this vulnerability can cause immediate denial-of-service by crashing the server. This occurs when the system attempts to allocate excessive memory, such as 9 petabytes, based on manipulated model attributes. Additionally, the vulnerability allows for unauthorized modification of object attributes, including 'dunder' keys, which can corrupt internal object states and potentially lead to more complex exploits.

Reproduction

To reproduce this vulnerability, load an ONNX model file containing crafted 'external_data' entries in the 'TensorProto' format. Include unknown keys or 'dunder' attributes to trigger the attribute injection. The vulnerability can be tested by setting the 'length' attribute to a large value, such as several petabytes, or by using a negative offset value, which can bypass file read restrictions and cause the application to crash.

Remediation

Users should update to ONNX version 1.21.0 or later, where this vulnerability has been patched.