CVE-2024-9053
📋 TL;DR
CVE-2024-9053 is a critical remote code execution vulnerability in vLLM's AsyncEngineRPCServer where untrusted pickle data can be deserialized without sanitization. This allows attackers to execute arbitrary code on affected systems by sending malicious messages to the RPC server. Any organization using vLLM version 0.6.0 with the AsyncEngineRPCServer exposed is affected.
💻 Affected Systems
- vllm-project vllm
📦 What is this software?
Vllm by Vllm Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to service disruption, data exfiltration, and cryptocurrency mining malware deployment.
If Mitigated
Limited impact if server is isolated with strict network controls, though RCE would still be possible within the isolated environment.
🎯 Exploit Status
The vulnerability is in a publicly documented component with clear exploitation path via pickle deserialization. The CVSS 9.8 score indicates trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 0.6.1 or later
Vendor Advisory: https://huntr.com/bounties/75a544f3-34a3-4da0-b5a3-1495cb031e09
Restart Required: Yes
Instructions:
1. Upgrade vLLM to version 0.6.1 or later using pip install vllm>=0.6.1. 2. Restart all vLLM services. 3. Verify the fix by checking the version and testing RPC functionality.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to the AsyncEngineRPCServer to only trusted IP addresses
iptables -A INPUT -p tcp --dport [RPC_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [RPC_PORT] -j DROP
Disable RPC Server
allTemporarily disable AsyncEngineRPCServer if not required
Stop the vLLM service using systemctl stop vllm or kill the process
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable server from critical systems
- Deploy application-level firewall or WAF to inspect and block malicious pickle payloads
🔍 How to Verify
Check if Vulnerable:
Check if vLLM version is 0.6.0 and AsyncEngineRPCServer is running. Use: python -c "import vllm; print(vllm.__version__)"Check Version:
python -c "import vllm; print(vllm.__version__)"Verify Fix Applied:
Confirm version is 0.6.1 or later and test RPC functionality with safe pickle data📡 Detection & Monitoring
Log Indicators:
- Unusual pickle deserialization errors
- Suspicious RPC connections from unexpected sources
- Process spawning from vLLM service
Network Indicators:
- Unusual outbound connections from vLLM server
- Large pickle payloads sent to RPC port
- Multiple failed deserialization attempts
SIEM Query:
source="vllm.log" AND ("pickle.loads" OR "cloudpickle" OR "deserialization")