### Key Information #### Vulnerability Overview - **Vulnerability Type**: Insecure deserialization leading to Remote Code Execution (RCE) - **Affected Versions**: >=1.0, <1.4.8 - **Fixed Version**: 1.4.8 - **CVE ID**: CVE-2023-3275 - **CVSS v3 Base Metrics**: - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High #### Vulnerability Description The BentoML runner server is vulnerable to insecure deserialization. By setting specific request headers and parameters, an attacker can execute arbitrary unauthorized code on the server, gaining initial access and stealing data and information stored on the server. #### PoC (Proof of Concept) 1. Create a simple model and save it. 2. Build the model using `bentofile.yaml`. 3. Create `service.py` to host the model. 4. Use a Python script to exploit the insecure deserialization vulnerability. #### Root Cause Analysis - When processing requests to the BentoML runner server, if the `arg-number` header equals 1, the `_deserialize_single_param` function is called. - The `Payload-Meta` and `Batch-Size` headers are used to construct a `Params` class, which contains data from the request body. - An attacker can craft a malicious `Params` object containing a payload that triggers the `__reduce__` method, thereby executing arbitrary commands. #### Impact Attackers can execute commands and send command output to an external destination. By replacing the `ls` command with any operating system command, this insecure deserialization vulnerability grants attackers remote shell access, potentially leading to full control over system resources.