Amazon SageMaker Python SDK ModelBuilder Component HMAC Key Exposure Vulnerability

A vulnerability exists in the Amazon SageMaker Python SDK ModelBuilder/Serve component, specifically in versions 2.199.0 through 2.257.1 and 3.0.0 through 3.7.1. This vulnerability involves the cleartext storage of the HMAC signing key in the SAGEMAKER_SERVE_SECRET_KEY environment variable. The key is exposed through SageMaker describe APIs, allowing a remote authenticated actor with the right permissions to extract it. With this key, an attacker could forge integrity signatures for manipulated model artifacts, potentially leading to unauthorized code execution in inference containers.

Impact

Exploitation of this vulnerability allows for the extraction of the HMAC signing key, which can be used to forge integrity signatures for specially crafted model artifacts. This manipulation could then be executed in inference containers, achieving code execution with the SageMaker execution role's IAM permissions.

Remediation

Users are advised to upgrade to Amazon SageMaker Python SDK versions 2.257.2 or 3.8.0. After upgrading, it is recommended to rebuild any models previously created with ModelBuilder using the updated SDK. For models that cannot be immediately upgraded, the SAGEMAKER_SERVE_SECRET_KEY environment variable can be manually removed by recreating the model without this variable in the container environment configuration.