CVE-2024-37054
📋 TL;DR
This vulnerability allows remote code execution through malicious PyFunc models in MLflow. Attackers can upload specially crafted models that execute arbitrary code when users interact with them. Organizations using MLflow 0.9.0 or newer for model deployment or experimentation are affected.
💻 Affected Systems
- MLflow
📦 What is this software?
Mlflow by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems in the network.
Likely Case
Data exfiltration, credential theft, or deployment of cryptocurrency miners on vulnerable MLflow instances.
If Mitigated
Limited impact through network segmentation and strict access controls, potentially only affecting isolated MLflow instances.
🎯 Exploit Status
Exploitation requires ability to upload models to MLflow. The vulnerability is in the deserialization process when models are loaded and executed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check MLflow GitHub releases for latest patched version
Vendor Advisory: https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
Restart Required: Yes
Instructions:
1. Check current MLflow version
2. Update to latest patched version via pip: pip install --upgrade mlflow
3. Restart all MLflow services
4. Verify the update was successful
🔧 Temporary Workarounds
Disable PyFunc model serving
allTemporarily disable PyFunc model serving capabilities to prevent exploitation
Configure MLflow to disable PyFunc model endpoints
Remove or restrict model upload functionality
Network segmentation
allIsolate MLflow instances from sensitive systems and the internet
Implement firewall rules to restrict MLflow access
Place MLflow in isolated network segment
🧯 If You Can't Patch
- Implement strict access controls to MLflow instances (IP whitelisting, authentication requirements)
- Disable model upload functionality and only use trusted, pre-vetted models
🔍 How to Verify
Check if Vulnerable:
Check MLflow version: if version >= 0.9.0 and PyFunc model serving is enabled, the system is vulnerableCheck Version:
python -c "import mlflow; print(mlflow.__version__)"Verify Fix Applied:
Verify MLflow version is updated to patched version and test with safe PyFunc models📡 Detection & Monitoring
Log Indicators:
- Unusual model uploads from unexpected sources
- Suspicious PyFunc model execution patterns
- Error logs related to model deserialization
Network Indicators:
- Unexpected outbound connections from MLflow servers
- Large data transfers from MLflow instances
SIEM Query:
source="mlflow.log" AND ("model_upload" OR "pyfunc") AND status="success" | stats count by src_ip