CVE-2024-2035
📋 TL;DR
This CVE-2024-2035 vulnerability allows any authenticated user in the ZenML platform to modify other users' information, including deactivating their accounts by setting the active status to false. This affects all users of ZenML version 0.55.3, potentially allowing attackers to disable admin accounts and disrupt application functionality.
💻 Affected Systems
- zenml-io/zenml
📦 What is this software?
Zenml by Zenml
⚠️ Risk & Real-World Impact
Worst Case
Attackers could deactivate all admin accounts, causing complete loss of administrative control, service disruption, and potential privilege escalation by creating new admin accounts.
Likely Case
Malicious authenticated users deactivate other users' accounts, causing service disruption and denial of service for targeted individuals.
If Mitigated
With proper authorization controls, only authorized users can modify user information, limiting impact to legitimate administrative actions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API calls to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.56.2
Vendor Advisory: https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3
Restart Required: Yes
Instructions:
1. Backup your ZenML configuration and data. 2. Update ZenML using pip: 'pip install --upgrade zenml==0.56.2'. 3. Restart all ZenML services. 4. Verify the update with 'zenml version'.
🔧 Temporary Workarounds
API Endpoint Restriction
allTemporarily restrict access to the vulnerable PUT /api/v1/users/{id} endpoint using network controls or API gateway rules.
Authentication Layer Monitoring
allImplement enhanced monitoring and alerting for user modification API calls to detect suspicious activity.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to the ZenML API only to trusted administrative networks.
- Deploy a web application firewall (WAF) with rules to block or alert on suspicious user modification requests.
🔍 How to Verify
Check if Vulnerable:
Check if your ZenML version is 0.55.3 using 'zenml version' command or inspect the package version in your environment.Check Version:
zenml versionVerify Fix Applied:
After updating, verify version is 0.56.2 or higher with 'zenml version'. Test that authenticated non-admin users cannot modify other users' information via the API.📡 Detection & Monitoring
Log Indicators:
- Multiple PUT requests to /api/v1/users/ endpoint from non-admin accounts
- User account status changes (active: false) initiated by non-admin users
- Failed authorization attempts for user modification operations
Network Indicators:
- Unusual patterns of API calls to user management endpoints
- Multiple account deactivation requests within short timeframes
SIEM Query:
source="zenml" AND (uri_path="/api/v1/users/*" AND http_method="PUT") AND user_role!="admin"