<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Monai - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/monai/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/monai/feed.xml" rel="self" type="application/rss+xml"/><item><title>MONAI Library Vulnerable to Arbitrary Code Execution via Pickle Deserialization</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-monai-pickle-rce/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-monai-pickle-rce/</guid><description>The MONAI library is vulnerable to arbitrary code execution due to insecure deserialization of pickle files via the `algo_from_pickle` function, allowing attackers to execute arbitrary code by providing a malicious pickle file.</description><content:encoded><![CDATA[<p>The MONAI library, a PyTorch-based framework for medical image analysis, is susceptible to arbitrary code execution due to insecure deserialization of pickle files. The vulnerability resides within the <code>algo_from_pickle</code> function located in <code>monai/auto3dseg/utils.py</code>. This function directly employs <code>pickle.loads</code> without implementing any form of input validation, creating a critical security gap. An attacker can exploit this vulnerability by crafting a malicious pickle file containing embedded code that, when deserialized using the vulnerable function, leads to arbitrary code execution on the system. This vulnerability affects MONAI versions 1.5.1 and earlier. Defenders should implement checks for pickle files being processed by MONAI applications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious Python class with a <code>__reduce__</code> method to execute arbitrary commands.</li>
<li>The malicious class is serialized into a pickle file using <code>pickle.dumps</code>.</li>
<li>The attacker delivers the malicious pickle file (e.g., <code>attack_algo.pkl</code>) to the target system. Delivery method is not specified in the source.</li>
<li>The vulnerable <code>algo_from_pickle</code> function is called with the path to the malicious pickle file as an argument.</li>
<li><code>algo_from_pickle</code> opens the pickle file in read-binary mode (&quot;rb&quot;).</li>
<li>The contents of the pickle file are read into the <code>data_bytes</code> variable.</li>
<li><code>pickle.loads(data_bytes)</code> is executed, deserializing the malicious pickle data.</li>
<li>Due to the crafted <code>__reduce__</code> method within the malicious class, arbitrary code execution occurs, such as launching <code>calc.exe</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability enables arbitrary code execution on the target system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The reported proof-of-concept uses calc.exe. This vulnerability affects MONAI versions 1.5.1 and earlier.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement file integrity monitoring on MONAI installations to detect unauthorized modifications to the <code>monai/auto3dseg/utils.py</code> file.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious Pickle Deserialization in MONAI</code> to detect exploitation attempts.</li>
<li>Upgrade to a patched version of MONAI that addresses the insecure deserialization vulnerability; versions later than 1.5.1 are not vulnerable.</li>
<li>Implement input validation and sanitization for any file paths passed to the <code>algo_from_pickle</code> function to prevent the processing of untrusted files.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>monai</category><category>pickle</category><category>rce</category><category>insecure-deserialization</category><category>python</category></item></channel></rss>