{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/monai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MONAI"],"_cs_severities":["high"],"_cs_tags":["monai","pickle","rce","insecure-deserialization","python"],"_cs_type":"advisory","_cs_vendors":["MONAI"],"content_html":"\u003cp\u003eThe MONAI library, a PyTorch-based framework for medical image analysis, is susceptible to arbitrary code execution due to insecure deserialization of pickle files. The vulnerability resides within the \u003ccode\u003ealgo_from_pickle\u003c/code\u003e function located in \u003ccode\u003emonai/auto3dseg/utils.py\u003c/code\u003e. This function directly employs \u003ccode\u003epickle.loads\u003c/code\u003e without implementing any form of input validation, creating a critical security gap. An attacker can exploit this vulnerability by crafting a malicious pickle file containing embedded code that, when deserialized using the vulnerable function, leads to arbitrary code execution on the system. This vulnerability affects MONAI versions 1.5.1 and earlier. Defenders should implement checks for pickle files being processed by MONAI applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Python class with a \u003ccode\u003e__reduce__\u003c/code\u003e method to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe malicious class is serialized into a pickle file using \u003ccode\u003epickle.dumps\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious pickle file (e.g., \u003ccode\u003eattack_algo.pkl\u003c/code\u003e) to the target system. Delivery method is not specified in the source.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ealgo_from_pickle\u003c/code\u003e function is called with the path to the malicious pickle file as an argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ealgo_from_pickle\u003c/code\u003e opens the pickle file in read-binary mode (\u0026quot;rb\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe contents of the pickle file are read into the \u003ccode\u003edata_bytes\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epickle.loads(data_bytes)\u003c/code\u003e is executed, deserializing the malicious pickle data.\u003c/li\u003e\n\u003cli\u003eDue to the crafted \u003ccode\u003e__reduce__\u003c/code\u003e method within the malicious class, arbitrary code execution occurs, such as launching \u003ccode\u003ecalc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability enables arbitrary code execution on the target system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The reported proof-of-concept uses calc.exe. This vulnerability affects MONAI versions 1.5.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement file integrity monitoring on MONAI installations to detect unauthorized modifications to the \u003ccode\u003emonai/auto3dseg/utils.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Pickle Deserialization in MONAI\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of MONAI that addresses the insecure deserialization vulnerability; versions later than 1.5.1 are not vulnerable.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for any file paths passed to the \u003ccode\u003ealgo_from_pickle\u003c/code\u003e function to prevent the processing of untrusted files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-monai-pickle-rce/","summary":"The MONAI library is vulnerable to arbitrary code execution due to insecure deserialization of pickle files via the `algo_from_pickle` function, allowing attackers to execute arbitrary code by providing a malicious pickle file.","title":"MONAI Library Vulnerable to Arbitrary Code Execution via Pickle Deserialization","url":"https://feed.craftedsignal.io/briefs/2024-01-29-monai-pickle-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - MONAI","version":"https://jsonfeed.org/version/1.1"}