Amazon SageMaker Python SDK, HMAC Key Disclosure and Remote Code Execution, Critical Vulnerability

Listen to this Post

The vulnerability exists in the SageMaker Python SDK where HMAC secret keys are stored within environment variables during training job execution. These keys are utilized to sign serialized function payloads that are saved to Amazon S3 for remote function calls. The DescribeTrainingJob API endpoint, which returns detailed job information, inadvertently exposes these sensitive HMAC keys in its response to authorized users. An attacker with DescribeTrainingJob permissions can query this API for a target training job and extract the HMAC secret key. With the key in hand, the attacker can generate valid HMAC signatures for maliciously crafted Python objects. By replacing the legitimate serialized payload in S3 with this forged payload, the integrity validation is bypassed because the signature matches. When the SDK client retrieves and deserializes this payload, the malicious code is executed within the training environment’s Python process. This leads to full remote code execution under the job’s IAM role, allowing access to sensitive data, model artifacts, and AWS metadata services. The attack chain enables payload tampering and code substitution without detection. In multi-tenant deployments, a stolen key from one job could be used to attack other jobs sharing S3 buckets or resources, amplifying the impact.
Platform: SageMaker Python SDK
Version: Before v2.256.0/v3.2.0
Vulnerability: HMAC key disclosure
Severity: Critical
Date: Not specified

Prediction: Patched v2.256.0/v3.2.0

What Undercode Say:

Analytics:

env | grep HMAC
aws sagemaker describe-training-job --training-job-name target --query 'Environment.HMAC_SECRET_KEY'
import boto3; client=boto3.client('sagemaker'); print(client.describe_training_job(TrainingJobName='target')['Environment']['HMAC_SECRET_KEY'])

How Exploit:

1. Acquire DescribeTrainingJob permissions.

2. Extract HMAC key via API.

3. Forge signed malicious payload.

4. Replace S3 function payload.

5. Execute code on deserialization.

Protection from this CVE

  • Upgrade to patched versions.
  • Restrict IAM permissions strictly.
  • Isolate S3 buckets per tenant.
  • Use private CA certificates.

Impact:

  • Arbitrary code execution.
  • Data and credential theft.
  • Cross-tenant compromise risks.
  • Payload tampering enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top