In a concerning discovery for the artificial intelligence industry, cybersecurity researchers have uncovered two critical vulnerabilities in NVIDIA's widely-used Triton Inference Server that could allow remote code execution attacks.
The vulnerabilities, assigned CVE-2024-0087 and CVE-2024-0088, highlight potential risks to the security and integrity of AI systems deployed across various sectors.
The Triton Inference Server is open-source software released by NVIDIA as a crucial component of its AI platform. Designed to standardize the deployment and execution of AI models for diverse workloads, Triton is utilized by numerous artificial intelligence manufacturers globally, underscoring the widespread impact of these vulnerabilities.
- CVE-2024-0087: Arbitrary file write through Triton Server's log configuration interface leading to remote code execution.
- CVE-2024-0088: Inadequate parameter validation in Triton Server's shared memory handling leading to arbitrary address write.
Vulnerability CVE-2024-0087 stems from an arbitrary file write flaw in Triton Server's log configuration interface. By exploiting this vulnerability, an attacker can write malicious code or scripts to sensitive system files, such as /root/.bashrc
or /etc/environment
.
Once these compromised files are executed, the attacker gains remote code execution capabilities on the Triton Server.
The flaw was discovered by two researchers Lawliet & Zhiniang Peng, had shared the proof-of-concept (PoC) exploit demonstrated by the researchers involves appending or overwriting a specified file, like /root/.bashrc
, followed by executing an injected command through simulated script execution.
Successful exploitation allows the attacker to execute arbitrary commands with root privileges, potentially leading to complete system compromise.
The second vulnerability, CVE-2024-0088, relates to inadequate parameter validation in Triton Server's shared memory handling. Triton Server allows clients to register shared memory and specify addresses for input parameters and output results using the shared_memory_offset
and shared_memory_byte_size
parameters.
However, the lack of validation for these parameters can lead to arbitrary address writing during the output result process, potentially enabling memory data leakage or program crashes, depending on the inference model's output and parameter types.
The PoC for this vulnerability involves setting the shared_memory_offset
parameter to an illegal address, causing a segmentation fault and crashing the Triton Server process. While the researchers demonstrated a crash, they acknowledge that in certain scenarios, this vulnerability could potentially enable more severe consequences, such as arbitrary code execution or sensitive data disclosure.
The implications of these vulnerabilities are far-reaching, as the Triton Inference Server underpins various AI applications and services across industries.
If exploited by malicious actors, companies and manufacturers relying on the Triton Server could face catastrophic risks, including unauthorized access to sensitive user data, execution of malicious code, tampering with AI model computation results, and even the theft of proprietary AI models.
Sectors such as autonomous vehicles, conversational AI assistants, and AI-powered services could be particularly vulnerable. Compromised AI systems in these domains could endanger passenger safety, expose private user information, or result in intellectual property theft and reputational damage for affected organizations.
NVIDIA has been notified of these vulnerabilities, and the team has released the update with the fix.
Apart from the above flaw, NVIDIA has also fixed a medium-severity Denial of service (DoS) flaw (CVE-2024-0100) in the NVIDIA Triton Inference Server.
"NVIDIA Triton Inference Server for Linux contains a vulnerability (CVE-2024-0100) in the tracing API, where a user can corrupt system files." - NVIDIA noted on advisory "A successful exploit of this vulnerability might lead to denial of service and data tampering."
As AI technology continues to rapidly advance and permeate various aspects of our lives, ensuring the security and integrity of AI systems is paramount to maintain trust and mitigate potential risks.