{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hmac/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SageMaker Python SDK"],"_cs_severities":["high"],"_cs_tags":["sagemaker","hmac","key-leakage","cloud","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe Amazon SageMaker Python SDK, a library for training and deploying machine learning models on Amazon SageMaker, contains a vulnerability related to the ModelBuilder/Serve component. Specifically, when building and deploying models with affected model servers (TorchServe, Multi-Model Server, TensorFlow Serving, SMD, or Triton), the SDK inadvertently stores an HMAC secret key in cleartext as the \u003ccode\u003eSAGEMAKER_SERVE_SECRET_KEY\u003c/code\u003e environment variable within the SageMaker model container configuration. This sensitive environment variable is then exposed in plaintext through the \u003ccode\u003eDescribeModel\u003c/code\u003e, \u003ccode\u003eDescribeEndpointConfig\u003c/code\u003e, and \u003ccode\u003eDescribeModelPackage\u003c/code\u003e APIs. This vulnerability affects versions \u0026gt;= v2.199.0 AND \u0026lt;= v2.257.1, as well as versions \u0026gt;= v3.0.0 AND \u0026lt;= v3.7.1. Defenders must upgrade to the patched versions and rebuild models to remediate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains authenticated access to the AWS environment.\u003c/li\u003e\n\u003cli\u003eAttacker enumerates SageMaker models via \u003ccode\u003eDescribeModel\u003c/code\u003e, \u003ccode\u003eDescribeEndpointConfig\u003c/code\u003e, or \u003ccode\u003eDescribeModelPackage\u003c/code\u003e API calls.\u003c/li\u003e\n\u003cli\u003eThe API response reveals the \u003ccode\u003eSAGEMAKER_SERVE_SECRET_KEY\u003c/code\u003e in plaintext within the container environment configuration.\u003c/li\u003e\n\u003cli\u003eAttacker gains S3 write access to the model artifact path.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious model artifact, forging a valid integrity signature using the leaked HMAC key.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the forged model artifact to the S3 bucket, replacing the original model.\u003c/li\u003e\n\u003cli\u003eThe compromised model is deployed to an inference container.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious model executes code within the SageMaker execution role\u0026rsquo;s IAM permissions, leading to potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with authenticated access and S3 write permissions to achieve code execution within SageMaker inference containers. The attacker can leverage the SageMaker execution role\u0026rsquo;s IAM permissions, potentially leading to privilege escalation, data exfiltration, or other malicious activities. The number of affected SageMaker models is dependent on the number of organizations using ModelBuilder with vulnerable SDK versions to create and deploy models. If this attack succeeds, it allows attackers to take complete control over SageMaker machine learning models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Amazon SageMaker Python SDK to versions v2.257.2 or v3.8.0 or later to address the vulnerability as stated in the advisory.\u003c/li\u003e\n\u003cli\u003eRebuild any models previously created with ModelBuilder using the updated SDK to ensure the sensitive HMAC key is not stored in the container environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for API calls to \u003ccode\u003eDescribeModel\u003c/code\u003e, \u003ccode\u003eDescribeEndpointConfig\u003c/code\u003e, and \u003ccode\u003eDescribeModelPackage\u003c/code\u003e to detect potential enumeration attempts by attackers.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit access to the \u003ccode\u003eDescribeModel\u003c/code\u003e, \u003ccode\u003eDescribeEndpointConfig\u003c/code\u003e, and \u003ccode\u003eDescribeModelPackage\u003c/code\u003e APIs and S3 write access to model artifact paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T17:44:00Z","date_published":"2026-05-21T17:44:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sagemaker-hmac-leak/","summary":"Amazon SageMaker Python SDK exposes an HMAC signing key in cleartext via API calls, enabling a remote authenticated actor to forge model artifacts and achieve code execution.","title":"Amazon SageMaker Python SDK HMAC Key Leakage via API Exposure","url":"https://feed.craftedsignal.io/briefs/2026-05-sagemaker-hmac-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Hmac","version":"https://jsonfeed.org/version/1.1"}