Skip to content

Instantly share code, notes, and snippets.

@hexian2001
Created October 24, 2024 15:35
Show Gist options
  • Save hexian2001/c046c066895a963ecc0a2cf9e1180065 to your computer and use it in GitHub Desktop.
Save hexian2001/c046c066895a963ecc0a2cf9e1180065 to your computer and use it in GitHub Desktop.
CVE-2024-48063
## CVE-2024-48063: Remote Code Execution via PyTorch Distributed RPC Framework
### Description
PyTorch versions <= 2.4.1 contain a vulnerability in the `rpc.remote` function, a core feature of its distributed RPC (Remote Procedure Call) framework. This function allows the creation of remote object references and the invocation of methods on these objects across different processes or nodes in a distributed system. This functionality is crucial for distributed machine learning tasks, where computations must be spread across multiple nodes.
The module `import torch.distributed.rpc as rpc` is vulnerable to serialization attacks, leading to potential command injection and remote code execution. Attackers who can post malicious payloads to the RPC framework can execute arbitrary code on the affected nodes.
### Vulnerability Type
- CWE-77: Command Injection
### Affected Product Code Base
- PyTorch <= 2.4.1 (https://github.com/pytorch/pytorch)
### Affected Component
- `torch/distributed/rpc/internal.py` (https://github.com/pytorch/pytorch/blob/main/torch/distributed/rpc/internal.py#L148)
### Attack Type
- Remote
### Impact
- Code Execution
### Attack Vectors
The vulnerability is exploitable through the `rpc.remote` function, which allows for remote object method invocation across nodes. Malicious payloads can be used to inject commands and execute code remotely.
### Reference
- [PyTorch Distributed RPC Framework RCE](https://rumbling-slice-eb0.notion.site/PyTorch-Distributed-RPC-Framework-rpc-remote-has-Deserialization-RCE-in-pytorch-pytorch-faf8bc6fa12248ba8a2377055367dd5e)
### Discoverer
- HRP, Aftersnow, Gxh
@horaortiz
Copy link

Those utilizing PyTorch in networked machine learning configurations should be very vigilant about this significant issue. Updating to the most recent version is crucial for reducing hazards related to remote code execution through the rpc.remote function. Make sure you're safe!
retro bowl online

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment