CVE-2024-9340
📋 TL;DR
This CVE describes a Denial of Service vulnerability in zenml-io/zenml version 0.66.0 where unauthenticated attackers can send specially crafted multipart requests with malformed boundaries to cause infinite loops and excessive resource consumption. This affects all users of vulnerable zenml deployments, particularly those exposing the affected API endpoints publicly. The vulnerability completely denies service to legitimate users when exploited.
💻 Affected Systems
- zenml-io/zenml
📦 What is this software?
Zenml by Zenml
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for all users of the zenml deployment, with potential resource exhaustion leading to system instability or crashes.
Likely Case
Temporary service disruption affecting authentication and device authorization endpoints, requiring service restart to recover.
If Mitigated
Minimal impact with proper network segmentation and request filtering in place.
🎯 Exploit Status
Exploitation requires sending malformed multipart requests but does not require authentication or special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit cba152eb9ca3071c8372b0b91c02d9d3351de48d
Vendor Advisory: https://github.com/zenml-io/zenml/commit/cba152eb9ca3071c8372b0b91c02d9d3351de48d
Restart Required: Yes
Instructions:
1. Update zenml to a version containing commit cba152eb9ca3071c8372b0b91c02d9d3351de48d. 2. Restart the zenml service. 3. Verify the fix by testing with malformed multipart requests.
🔧 Temporary Workarounds
Network Filtering
allImplement WAF rules or network filtering to block malformed multipart requests with suspicious boundary patterns.
Endpoint Restriction
allRestrict access to vulnerable endpoints (/api/v1/login and /api/v1/device_authorization) using firewall rules or authentication requirements.
🧯 If You Can't Patch
- Implement rate limiting on affected endpoints to reduce impact of DoS attempts
- Deploy behind a reverse proxy with request validation and filtering capabilities
🔍 How to Verify
Check if Vulnerable:
Check if running zenml version 0.66.0 and test by sending malformed multipart requests to /api/v1/login with arbitrary characters appended to boundary markers.Check Version:
zenml versionVerify Fix Applied:
After patching, attempt to send the same malformed requests and verify they are properly rejected without causing infinite loops or excessive resource consumption.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Repeated error logs related to multipart parsing
- Unusually high number of requests to /api/v1/login or /api/v1/device_authorization
Network Indicators:
- Malformed multipart requests with unusual boundary patterns
- High volume of requests to authentication endpoints from single sources
SIEM Query:
source="zenml" AND (endpoint="/api/v1/login" OR endpoint="/api/v1/device_authorization") AND status=500 AND message="multipart"