Home News Google’s TensorFlow drops YAML support due to code execution flaw

    Google’s TensorFlow drops YAML support due to code execution flaw



    TensorFlow, a well-liked Python-based machine studying and synthetic intelligence challenge developed by Google has dropped help for YAML, to patch a vital code execution vulnerability.

    YAML or But One other Markup Language is a handy alternative amongst builders in search of a human-readable information serialization language for dealing with configuration information and information in transit.

    Untrusted deserialization vulnerability in TensorFlow

    Maintainers behind each TensorFlow and Keras, a wrapper challenge for TensorFlow, have patched an untrusted deserialization vulnerability that stemmed from unsafe parsing of YAML.

    Tracked as CVE-2021-37678,  the vital flaw allows attackers to execute arbitrary code when an software deserializes a Keras mannequin offered within the YAML format.

    Deserialization vulnerabilities sometimes happen when an software reads malformed or malicious information originating from inauthentic sources.

    After an software reads and deserializes the information, it might crash leading to a Denial of Service (DoS) situation, or worse, execute the attacker’s arbitrary code.

    This YAML deserialization vulnerability, rated a 9.3 in severity, was responsibly reported to TensorFlow maintainers by safety researcher Arjun Shibu.

    And the supply of the flaw, you ask? The infamous “yaml.unsafe_load()” operate in TensorFlow code:

    yaml.unsafe_load function call
    Weak yaml.unsafe_load operate name in TensorFlow (GitHub)

    The “unsafe_load” operate is understood to deserialize YAML information relatively liberally—it resolves all tags, “even these identified to be unsafe on untrusted enter.”

    This implies, ideally “unsafe_load” ought to solely be referred to as on enter that comes from a trusted supply and is understood to be freed from any malicious content material.

    Ought to that not be the case, attackers can exploit the deserialization mechanism to execute code of their alternative by injecting malicious payload within the YAML information which is but to be serialized.

    An instance Proof-of-Idea (PoC) exploit shared within the vulnerability advisory demonstrates simply this:

    from tensorflow.keras import fashions
    payload = '''
    args: ['z', !!python/tuple [], {'prolong': !!python/identify:exec }]
    listitems: "__import__('os').system('cat /and many others/passwd')"

    TensorFlow drops YAML altogether in favor of JSON

    After the vulnerability was reported, TensorFlow determined to drop YAML help altogether and use JSON deserialization as a substitute.

    “Provided that YAML format help requires a big quantity of labor, we’ve got eliminated it for now,” say the challenge maintainers in the identical advisory.

    “The strategies `Mannequin.to_yaml()` and `keras.fashions.model_from_yaml` have been changed to boost a `RuntimeError` as they are often abused to trigger arbitrary code execution,” additionally clarify the discharge notes related to the fix.

    “It is strongly recommended to make use of JSON serialization as a substitute of YAML, or, a greater various, serialize to H5.”

    It’s price noting, TensorFlow is just not the primary or solely challenge discovered to be utilizing YAML’s unsafe_load. The operate’s use is relatively prevalent in Python initiatives.

    GitHub exhibits thousands of search results referencing the operate, with some builders proposing enhancements:

    github results for applications using unsafe_load
    Many repos on GitHub have used and use YAML’s unsafe load operate (GitHub)

    Repair for CVE-2021-37678 is anticipated to reach in TensorFlow model 2.6.0, and will even be backported into prior variations 2.5.1, 2.4.3, and 2.3.4, state the maintainers.

    Source link