Google Cloud Vertex AI SDK flaw allowed model hijacking and code execution

A vulnerability in the Google Cloud Vertex AI SDK for Python would have allowed attackers to hijack machine learning model uploads and execute code within Google's serving infrastructure. Palo Alto Networks Unit 42 discovered the flaw, dubbed "Pickle in the Middle," and reported it through Google's bug bounty program. Google has since patched the vulnerability, urging users to update their SDKs, with further coverage provided by The Hacker News.

The attack exploited a weakness in how the SDK selected temporary Cloud Storage buckets for model uploads. If a user did not specify a bucket, the SDK generated a predictable name based on the project ID and region. An attacker could preemptively create this bucket in their own project. Consequently, the victim's SDK would upload model files to the attacker's bucket, allowing the attacker to replace the model with a malicious version. Many Python machine learning models use libraries like pickle or joblib, which can execute arbitrary code upon loading. When Vertex AI loaded the swapped model, the attacker's code ran within the serving container. The exploit involved a race condition, with the attacker needing to replace the model within approximately 2.5 seconds of the victim's upload. The payload could steal OAuth tokens from the serving container's metadata server, potentially granting access to other model artifacts, BigQuery metadata, and internal system information within the same Google-managed tenant project.

The attack required specific conditions: the victim's default staging bucket not existing in the region and the developer not explicitly setting a staging bucket parameter. Google addressed the issue by adding ownership verification and random identifiers to bucket names in SDK versions 1.144.0 and 1.148.0.

Source: The Hacker News