MONAI Library Vulnerable to Arbitrary Code Execution via Pickle Deserialization
The MONAI library is vulnerable to arbitrary code execution due to insecure deserialization of pickle files via the `algo_from_pickle` function, allowing attackers to execute arbitrary code by providing a malicious pickle file.
The MONAI library, a PyTorch-based framework for medical image analysis, is susceptible to arbitrary code execution due to insecure deserialization of pickle files. The vulnerability resides within the algo_from_pickle function located in monai/auto3dseg/utils.py. This function directly employs pickle.loads without implementing any form of input validation, creating a critical security gap. An attacker can exploit this vulnerability by crafting a malicious pickle file containing embedded code that, when deserialized using the vulnerable function, leads to arbitrary code execution on the system. This vulnerability affects MONAI versions 1.5.1 and earlier. Defenders should implement checks for pickle files being processed by MONAI applications.
Attack Chain
- Attacker crafts a malicious Python class with a
__reduce__method to execute arbitrary commands. - The malicious class is serialized into a pickle file using
pickle.dumps. - The attacker delivers the malicious pickle file (e.g.,
attack_algo.pkl) to the target system. Delivery method is not specified in the source. - The vulnerable
algo_from_picklefunction is called with the path to the malicious pickle file as an argument. algo_from_pickleopens the pickle file in read-binary mode ("rb").- The contents of the pickle file are read into the
data_bytesvariable. pickle.loads(data_bytes)is executed, deserializing the malicious pickle data.- Due to the crafted
__reduce__method within the malicious class, arbitrary code execution occurs, such as launchingcalc.exe.
Impact
Successful exploitation of this vulnerability enables arbitrary code execution on the target system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The reported proof-of-concept uses calc.exe. This vulnerability affects MONAI versions 1.5.1 and earlier.
Recommendation
- Implement file integrity monitoring on MONAI installations to detect unauthorized modifications to the
monai/auto3dseg/utils.pyfile. - Deploy the Sigma rule
Detect Suspicious Pickle Deserialization in MONAIto detect exploitation attempts. - Upgrade to a patched version of MONAI that addresses the insecure deserialization vulnerability; versions later than 1.5.1 are not vulnerable.
- Implement input validation and sanitization for any file paths passed to the
algo_from_picklefunction to prevent the processing of untrusted files.
Detection coverage 2
Detect Suspicious Pickle Deserialization in MONAI
highDetects the execution of `algo_from_pickle` with a suspicious pickle file in MONAI, indicating a potential insecure deserialization attempt.
Detect Suspicious Process Launched by Python Pickle
criticalDetects processes spawned by Python after deserializing a pickle file, indicating potential code execution from pickle deserialization
Detection queries are available on the platform. Get full rules →