MLflow Temporary Directory Permission Vulnerability Allowing Arbitrary Code Execution

A vulnerability in MLflow in versions prior to 3.11.0 allows local attackers to execute arbitrary code by exploiting insecure temporary directory permissions. The 'get_or_create_nfs_tmp_dir()' function in 'mlflow/utils/file_utils.py' creates directories with world-writable permissions, while the '_create_model_downloading_tmp_dir()' function in 'mlflow/pyfunc/__init__.py' creates directories that are group-writable. This issue is critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The vulnerability arises because MLflow downloads model artifacts, including cloudpickle-serialized Python objects, into these insecure directories and deserializes them without integrity verification, allowing for code execution via tampered artifacts.

Impact

Exploitation of this vulnerability leads to local privilege escalation and arbitrary code execution. A local attacker can replace model artifacts in world-writable temporary directories. When the modified artifacts are deserialized, the attacker's code is executed with the privileges of the user running the process. This vulnerability is particularly severe in shared environments, such as Databricks, where NFS mounts are accessible by all local users.

Reproduction

The vulnerability can be reproduced by calling a Spark-based model inference, which triggers the '_create_model_downloading_tmp_dir()' function. This function, in turn, calls 'get_or_create_nfs_tmp_dir()', creating a world-writable directory. After the model artifacts are downloaded into this directory, a local attacker can replace the 'python_model.pkl' file with a malicious payload. When the model is loaded using 'mlflow.pyfunc.load_model()', the deserialization process executes the attacker's code.

Remediation

Users can update to MLflow version 3.11.0 or later, where this vulnerability has been fixed.