Skip to content
Threat Feed
high advisory

MONAI Library Vulnerable to Arbitrary Code Execution via Pickle Deserialization

The MONAI library is vulnerable to arbitrary code execution due to insecure deserialization of pickle files via the `algo_from_pickle` function, allowing attackers to execute arbitrary code by providing a malicious pickle file.

The MONAI library, a PyTorch-based framework for medical image analysis, is susceptible to arbitrary code execution due to insecure deserialization of pickle files. The vulnerability resides within the algo_from_pickle function located in monai/auto3dseg/utils.py. This function directly employs pickle.loads without implementing any form of input validation, creating a critical security gap. An attacker can exploit this vulnerability by crafting a malicious pickle file containing embedded code that, when deserialized using the vulnerable function, leads to arbitrary code execution on the system. This vulnerability affects MONAI versions 1.5.1 and earlier. Defenders should implement checks for pickle files being processed by MONAI applications.

Attack Chain

  1. Attacker crafts a malicious Python class with a __reduce__ method to execute arbitrary commands.
  2. The malicious class is serialized into a pickle file using pickle.dumps.
  3. The attacker delivers the malicious pickle file (e.g., attack_algo.pkl) to the target system. Delivery method is not specified in the source.
  4. The vulnerable algo_from_pickle function is called with the path to the malicious pickle file as an argument.
  5. algo_from_pickle opens the pickle file in read-binary mode ("rb").
  6. The contents of the pickle file are read into the data_bytes variable.
  7. pickle.loads(data_bytes) is executed, deserializing the malicious pickle data.
  8. Due to the crafted __reduce__ method within the malicious class, arbitrary code execution occurs, such as launching calc.exe.

Impact

Successful exploitation of this vulnerability enables arbitrary code execution on the target system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The reported proof-of-concept uses calc.exe. This vulnerability affects MONAI versions 1.5.1 and earlier.

Recommendation

  • Implement file integrity monitoring on MONAI installations to detect unauthorized modifications to the monai/auto3dseg/utils.py file.
  • Deploy the Sigma rule Detect Suspicious Pickle Deserialization in MONAI to detect exploitation attempts.
  • Upgrade to a patched version of MONAI that addresses the insecure deserialization vulnerability; versions later than 1.5.1 are not vulnerable.
  • Implement input validation and sanitization for any file paths passed to the algo_from_pickle function to prevent the processing of untrusted files.

Detection coverage 2

Detect Suspicious Pickle Deserialization in MONAI

high

Detects the execution of `algo_from_pickle` with a suspicious pickle file in MONAI, indicating a potential insecure deserialization attempt.

sigma tactics: execution techniques: T1053.005 sources: process_creation, windows

Detect Suspicious Process Launched by Python Pickle

critical

Detects processes spawned by Python after deserializing a pickle file, indicating potential code execution from pickle deserialization

sigma tactics: execution techniques: T1059.008 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →