Impure RPC function calls
The vulnerability is located in PyTorch’s distributed Remote Procedure Call (RPC) component, torch.distributed.rpc. The component facilitates inter-process communication between the various nodes involved in distributed training scenarios, where work is distributed between multiple deployments that act as workers and are controlled from the master node.
When using RPC, workers can create a series of PythonUDFs (User Defined Functions) and send them to the master node, which then removes and executes them. The problem is that in versions of PyTorch older than 2.2.2 there are no restrictions on calling built-in Python functions such as eval, which still allows executing arbitrary commands in the underlying operating system.
“An attacker could use this vulnerability to attack remote master nodes that initiate distributed training,” the researchers who reported the vulnerability wrote in their report. “With RCE [remote code execution]the master node is compromised, to further steal sensitive AI-related data.”
Source link