CVE-2023-37273
📋 TL;DR
This vulnerability in Auto-GPT allows malicious Python code executed via the application's commands to overwrite the docker-compose.yml file, enabling attackers to gain control of the host system when Auto-GPT is restarted. It affects users running Auto-GPT versions prior to 0.4.3 via Docker Compose from the git repository. The risk is particularly high for users who execute untrusted code through Auto-GPT's Python execution features.
💻 Affected Systems
- Auto-GPT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete host system compromise with root/administrator privileges, allowing attackers to install malware, steal data, pivot to other systems, or establish persistent access.
Likely Case
Container escape leading to host file system access, potential credential theft, and installation of backdoors or cryptocurrency miners.
If Mitigated
Limited to container-level impact if proper isolation and read-only mounts are configured, preventing host system compromise.
🎯 Exploit Status
Exploitation requires ability to execute Python code through Auto-GPT's commands, which typically requires some level of access or social engineering. The vulnerability is straightforward to exploit once code execution is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.3
Vendor Advisory: https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-x5gj-2chr-4ch6
Restart Required: Yes
Instructions:
1. Update Auto-GPT to version 0.4.3 or later. 2. Pull the latest changes from the git repository. 3. Rebuild and restart the Docker containers. 4. Verify the docker-compose.yml file has read-only mounting or uses the correct configuration.
🔧 Temporary Workarounds
Use official Docker setup
allFollow the official Docker setup instructions instead of running from git repo root
Follow instructions at: https://github.com/Significant-Gravitas/Auto-GPT#-docker
Manual docker-compose.yml fix
allModify docker-compose.yml to mount volumes as read-only
Change volume mounts from './docker-compose.yml:/app/docker-compose.yml' to './docker-compose.yml:/app/docker-compose.yml:ro'
🧯 If You Can't Patch
- Disable execute_python_file and execute_python_code commands in Auto-GPT configuration
- Implement strict input validation and sandboxing for any Python code execution
🔍 How to Verify
Check if Vulnerable:
Check if running Auto-GPT version < 0.4.3 via 'docker compose run auto-gpt' from git repo root and docker-compose.yml mounts without read-only flagCheck Version:
docker exec [container_name] python -c "import autogpt; print(autogpt.__version__)"Verify Fix Applied:
Verify Auto-GPT version is ≥ 0.4.3 and docker-compose.yml has read-only mounting or uses official setup📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to docker-compose.yml file
- Unexpected Python code execution through Auto-GPT commands
- Container escape attempts in Docker logs
Network Indicators:
- Unexpected outbound connections from Auto-GPT container to external hosts
- Suspicious file transfers from container to host
SIEM Query:
source="docker" AND ("docker-compose.yml modification" OR "container escape" OR "privilege escalation")