CVE-2024-9070
📋 TL;DR
A deserialization vulnerability in BentoML's runner server allows attackers to execute arbitrary code by manipulating the args-number parameter. This affects all deployments using BentoML versions up to 1.3.4.post1. The vulnerability enables remote code execution with high impact on affected systems.
💻 Affected Systems
- BentoML
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems.
Likely Case
Unauthorized code execution leading to data exfiltration, service disruption, or installation of backdoors.
If Mitigated
Limited impact through network segmentation and proper access controls, but still vulnerable to authenticated attacks.
🎯 Exploit Status
Exploit details are publicly available in the huntr.com bounty report. The vulnerability requires specific parameter manipulation but is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >1.3.4.post1
Vendor Advisory: https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5
Restart Required: Yes
Instructions:
1. Upgrade BentoML to version >1.3.4.post1. 2. Update all dependencies. 3. Restart all BentoML services. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to BentoML runner server to only trusted sources
iptables -A INPUT -p tcp --dport [BENTOML_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [BENTOML_PORT] -j DROP
Parameter Validation
allImplement input validation to reject args-number parameter values > 1
🧯 If You Can't Patch
- Isolate BentoML servers in a restricted network segment with no internet access
- Implement strict firewall rules to limit access to only necessary IP addresses
🔍 How to Verify
Check if Vulnerable:
Check BentoML version and verify if args-number parameter > 1 triggers deserializationCheck Version:
python -c "import bentoml; print(bentoml.__version__)"Verify Fix Applied:
Verify BentoML version is >1.3.4.post1 and test that args-number parameter > 1 no longer triggers deserialization📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Unexpected process execution
- Args-number parameter with value > 1 in requests
Network Indicators:
- Unusual outbound connections from BentoML server
- Traffic patterns indicating code execution
SIEM Query:
source="bentoml" AND (args-number>1 OR "deserialization" OR "pickle")