<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>BentoML - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/bentoml/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/bentoml/feed.xml" rel="self" type="application/rss+xml"/><item><title>BentoML Dockerfile Command Injection via bentofile.yaml</title><link>https://feed.craftedsignal.io/briefs/2024-01-bentoml-rce/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-bentoml-rce/</guid><description>BentoML is vulnerable to Dockerfile command injection via the `docker.system_packages` field in `bentofile.yaml`, allowing arbitrary command execution during `bentoml containerize` / `docker build`.</description><content:encoded><![CDATA[<p>BentoML is susceptible to a command injection vulnerability due to unsanitized input in the <code>docker.system_packages</code> field of the <code>bentofile.yaml</code> configuration file. This flaw allows an attacker to inject arbitrary commands into the Dockerfile <code>RUN</code> instruction during the containerization process. The vulnerability exists because the <code>system_packages</code> values, intended to be OS package names, are directly incorporated into shell commands without proper escaping or validation. All versions supporting the <code>docker.system_packages</code> feature in <code>bentofile.yaml</code> are affected, with version 1.4.36 confirmed to be vulnerable. Attackers can exploit this by crafting a malicious <code>bentofile.yaml</code> that executes arbitrary code during the <code>bentoml containerize</code> or <code>docker build</code> operations, potentially compromising CI/CD pipelines, BentoCloud infrastructure, or the broader BentoML ecosystem. This vulnerability is tracked as CVE-2026-33744.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious <code>bentofile.yaml</code> file containing a command injection payload within the <code>docker.system_packages</code> field.</li>
<li>A user clones or downloads the ML project containing the malicious <code>bentofile.yaml</code>.</li>
<li>The user executes the <code>bentoml build</code> command, which parses the <code>bentofile.yaml</code> and generates a Dockerfile.</li>
<li>The <code>bentoml containerize</code> command or <code>docker build</code> is executed using the generated Dockerfile.</li>
<li>During the Docker build process, the injected command from <code>system_packages</code> is executed as root within the container. Specifically, this occurs due to the unsanitized string formatting in <code>src/_bentoml_sdk/images.py</code>, where the package list is directly injected into the <code>apt-get install</code> command.</li>
<li>The injected command achieves arbitrary code execution on the system building the Docker image.</li>
<li>The attacker gains unauthorized access to the system or exfiltrates sensitive information.</li>
<li>The attacker potentially compromises CI/CD pipelines or cloud infrastructure if the build process is automated.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the system building the Docker image. This could lead to complete system compromise, data exfiltration, or denial of service. The impact includes potentially malicious repositories spreading through the ML community, compromised CI/CD pipelines running <code>bentoml containerize</code> on pull requests, and potential remote code execution (RCE) on BentoCloud infrastructure if it builds images from user-supplied <code>bentofile.yaml</code>. The wide adoption of shared bentos and model repositories in the BentoML ecosystem amplifies the supply chain risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect BentoML System Packages Command Injection&quot; to identify attempts to exploit this vulnerability (rules).</li>
<li>Apply the input validation fix described in the advisory to <code>system_packages</code> in <code>build_config.py</code> (references).</li>
<li>Upgrade to a patched version of BentoML that includes the recommended fixes to prevent command injection (Affected Packages).</li>
<li>Monitor CI/CD pipelines for modifications to <code>bentofile.yaml</code> and implement strict code review processes (overview).</li>
<li>Scan existing BentoML projects and Bento repositories for malicious <code>bentofile.yaml</code> files (overview).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>docker</category><category>bentoml</category><category>CVE-2026-33744</category></item></channel></rss>