Headline
AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
By Waqas The Llama Drama vulnerability in the Llama-cpp-Python package exposes AI models to remote code execution (RCE) attacks, enabling attackers to steal data. Currently, over 6,000 models are affected by this vulnerability. This is a post from HackRead.com Read the original post: AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
Checkmarx threat research team in a report shared with Hackread.com revealed the dangers posed by seemingly trusted AI models harboring backdoors. Dubbed Llama drama; the vulnerability impacts the llama_cpp_python package potentially allowing attackers to execute arbitrary code and compromise data and operations.
The vulnerability affects over 6,000 AI models on trusted platforms like Hugging Face, highlighting the need for AI platforms and developers to address supply chain security challenges.
It is important to mention that the vulnerability was initially discovered by a cybersecurity researcher known by the handle @retr0reg on X (Twitter).
LLM popular Dependency Llama-cpp-Python RCE 0-day✅
Found a week after my 15th birthday. Around 1.3k Project are effected (via GH Search), including your favourite langchain, llama-index….
This felt great but also reminds of how effective Supply-Chain Attack can be in ML/AI. pic.twitter.com/UUXJOBP94Z
— retr0reg (@retr0reg) May 10, 2024
****Vulnerability Details****
CVE-2024-34359 is a critical vulnerability resulting from the misuse of the Jinja2 template engine in the `llama_cpp_python` package, allowing attackers to exploit a hole in the package’s use of Jinja2.
The issue is in the template data processing, which is done without proper security measures like sandboxing. Although Jinja2 supports sandboxing it was not implemented in this case, which could lead to arbitrary code execution on the host system.
For your information, Jinja2 is a Python library used for template rendering and HTML generation but it can be a security risk if not configured correctly. Conversely, the llama_cpp_python package integrates Python’s ease with C++’s performance. It is ideal for complex AI models handling large data volumes but can be exposed to template injection attacks.
****Risk Assessment****
This vulnerability, as per Checkmarx’s report, is critical as AI systems process sensitive datasets. Such vulnerabilities expose them to risks like unauthorized actions, data theft, system compromise, and operational disruption, affecting individual privacy and organizational integrity.
The security of AI systems is crucial, as their supply chains depend on third-party libraries and frameworks. Given AI systems’ extended attack surface through integration across systems, a single component’s vulnerability can impact the entire system.
The good news is that the vulnerability has been fixed in version 0.2.72, with the addition of sandboxing and input validation measures. Organizations are advised to update promptly for system security.
Still, it highlights a risk in our increasingly connected world. Many AI models are shared online, and if one has this weakness, it could spread like a virus. This is a wake-up call for developers and AI platforms to be wary of software supply chain security loopholes. Just like checking your ingredients before you cook, it’s important to make sure the software you use is safe and secure.
- Supply Chain Attack Hit Telegram, AWS Alibaba Cloud Users
- Supply Chain Attack: S3 Buckets Used for Malicious Payloads
- New LLMjacking Attack Lets Hackers Hijack AI Models for Profit
- Thousands of GitHub Repositories Cloned in Supply Chain Attack
- Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor
Related news
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today. Attack surface management vs exposure management Attack surface management (ASM) is the ongoing
Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America,
## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to RCE by a carefully constructed payload. ## Source-to-Sink ### `llama.py` -> `class Llama` -> `__init__`: ```python class Llama: """High-level Python wrapper for a ...
Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.
Growing attacks targeting the flaw prompted CISA to include it in the known exploited vulnerabilities catalog earlier this month.
This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.
By cybernewswire Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the… This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
By Cyber Newswire Zero Knowledge Networking vendor shrugs off firewall flaw! This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.
A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.
By Deeba Ahmed Firewall on fire! This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor