{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/bentoml/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BentoML"],"_cs_severities":["high"],"_cs_tags":["command-injection","docker","bentoml","CVE-2026-33744"],"_cs_type":"advisory","_cs_vendors":["BentoML"],"content_html":"\u003cp\u003eBentoML is susceptible to a command injection vulnerability due to unsanitized input in the \u003ccode\u003edocker.system_packages\u003c/code\u003e field of the \u003ccode\u003ebentofile.yaml\u003c/code\u003e configuration file. This flaw allows an attacker to inject arbitrary commands into the Dockerfile \u003ccode\u003eRUN\u003c/code\u003e instruction during the containerization process. The vulnerability exists because the \u003ccode\u003esystem_packages\u003c/code\u003e values, intended to be OS package names, are directly incorporated into shell commands without proper escaping or validation. All versions supporting the \u003ccode\u003edocker.system_packages\u003c/code\u003e feature in \u003ccode\u003ebentofile.yaml\u003c/code\u003e are affected, with version 1.4.36 confirmed to be vulnerable. Attackers can exploit this by crafting a malicious \u003ccode\u003ebentofile.yaml\u003c/code\u003e that executes arbitrary code during the \u003ccode\u003ebentoml containerize\u003c/code\u003e or \u003ccode\u003edocker build\u003c/code\u003e operations, potentially compromising CI/CD pipelines, BentoCloud infrastructure, or the broader BentoML ecosystem. This vulnerability is tracked as CVE-2026-33744.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003ebentofile.yaml\u003c/code\u003e file containing a command injection payload within the \u003ccode\u003edocker.system_packages\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eA user clones or downloads the ML project containing the malicious \u003ccode\u003ebentofile.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user executes the \u003ccode\u003ebentoml build\u003c/code\u003e command, which parses the \u003ccode\u003ebentofile.yaml\u003c/code\u003e and generates a Dockerfile.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebentoml containerize\u003c/code\u003e command or \u003ccode\u003edocker build\u003c/code\u003e is executed using the generated Dockerfile.\u003c/li\u003e\n\u003cli\u003eDuring the Docker build process, the injected command from \u003ccode\u003esystem_packages\u003c/code\u003e is executed as root within the container. Specifically, this occurs due to the unsanitized string formatting in \u003ccode\u003esrc/_bentoml_sdk/images.py\u003c/code\u003e, where the package list is directly injected into the \u003ccode\u003eapt-get install\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe injected command achieves arbitrary code execution on the system building the Docker image.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system or exfiltrates sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises CI/CD pipelines or cloud infrastructure if the build process is automated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the system building the Docker image. This could lead to complete system compromise, data exfiltration, or denial of service. The impact includes potentially malicious repositories spreading through the ML community, compromised CI/CD pipelines running \u003ccode\u003ebentoml containerize\u003c/code\u003e on pull requests, and potential remote code execution (RCE) on BentoCloud infrastructure if it builds images from user-supplied \u003ccode\u003ebentofile.yaml\u003c/code\u003e. The wide adoption of shared bentos and model repositories in the BentoML ecosystem amplifies the supply chain risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect BentoML System Packages Command Injection\u0026quot; to identify attempts to exploit this vulnerability (rules).\u003c/li\u003e\n\u003cli\u003eApply the input validation fix described in the advisory to \u003ccode\u003esystem_packages\u003c/code\u003e in \u003ccode\u003ebuild_config.py\u003c/code\u003e (references).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of BentoML that includes the recommended fixes to prevent command injection (Affected Packages).\u003c/li\u003e\n\u003cli\u003eMonitor CI/CD pipelines for modifications to \u003ccode\u003ebentofile.yaml\u003c/code\u003e and implement strict code review processes (overview).\u003c/li\u003e\n\u003cli\u003eScan existing BentoML projects and Bento repositories for malicious \u003ccode\u003ebentofile.yaml\u003c/code\u003e files (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-bentoml-rce/","summary":"BentoML is vulnerable to Dockerfile command injection via the `docker.system_packages` field in `bentofile.yaml`, allowing arbitrary command execution during `bentoml containerize` / `docker build`.","title":"BentoML Dockerfile Command Injection via bentofile.yaml","url":"https://feed.craftedsignal.io/briefs/2024-01-bentoml-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - BentoML","version":"https://jsonfeed.org/version/1.1"}