CVE-2024-7557
📋 TL;DR
This vulnerability in OpenShift AI allows attackers to bypass authentication and escalate privileges across AI models within the same namespace. By using ServiceAccount tokens exposed in the UI from one model, attackers can access other models and APIs they shouldn't have permission to. Organizations using OpenShift AI with model authentication enabled are affected.
💻 Affected Systems
- Red Hat OpenShift AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all AI models and associated resources within the namespace, potentially leading to data theft, model manipulation, or lateral movement to other systems.
Likely Case
Unauthorized access to sensitive AI models and their data, potentially exposing proprietary algorithms, training data, or inference results.
If Mitigated
Limited impact if proper network segmentation and access controls prevent lateral movement beyond the initial namespace.
🎯 Exploit Status
Exploitation requires initial access to a model's ServiceAccount token, which is exposed in the UI. Once obtained, using oc --token={token} provides elevated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisory for specific fixed versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-7557
Restart Required: Yes
Instructions:
1. Check Red Hat advisory for specific patch versions. 2. Update OpenShift AI to the patched version. 3. Restart affected components. 4. Verify ServiceAccount tokens are no longer improperly shared between models.
🔧 Temporary Workarounds
Disable model authentication
allTemporarily disable authentication protection on AI models to prevent token exposure
# Configure models without authentication protection in OpenShift AI UI
Namespace isolation
linuxDeploy sensitive models in separate namespaces to limit lateral movement
oc new-project sensitive-models
# Deploy critical models in isolated namespace
🧯 If You Can't Patch
- Implement strict network policies to limit communication between models within the namespace
- Regularly rotate ServiceAccount tokens and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if ServiceAccount tokens from one model can be used to access other models or APIs within the same namespace using oc --token={token} commands.Check Version:
oc versionVerify Fix Applied:
After patching, verify that ServiceAccount tokens are properly isolated and cannot be used to access unauthorized models or APIs.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls using ServiceAccount tokens
- Access patterns showing single token accessing multiple models
- Failed authentication attempts followed by successful token-based access
Network Indicators:
- Unusual cross-model API traffic within namespace
- Token reuse across different model endpoints
SIEM Query:
source="openshift-audit-logs" AND (token_reuse OR unauthorized_model_access OR serviceaccount_privilege_escalation)