How the CVE Works:
The vulnerability in Keras’ `Model.load_model` function allows arbitrary code execution even when `safe_mode=True` is enabled. This occurs due to insufficient validation of the `config.json` file within a `.keras` archive. An attacker can craft a malicious `.keras` archive by modifying the `config.json` file to specify arbitrary Python modules, functions, and arguments. When the model is loaded using Model.load_model, the malicious code is executed, leading to potential system compromise, data theft, or further exploitation. This flaw bypasses the intended safety mechanisms, making it critical for users to update to the patched version.
DailyCVE Form:
Platform: Keras
Version: < 3.9
Vulnerability: Arbitrary Code Execution
Severity: Critical
Date: YYYY-MM-DD
What Undercode Say:
Exploitation:
1. Crafting Malicious Archive:
- Modify `config.json` in a `.keras` archive to include malicious Python modules and functions.
- Example:
{ "class_name": "malicious_module", "config": { "module": "os", "function": "system", "args": [bash] } }
2. Triggering Exploit:
- Load the malicious archive using
Model.load_model:from keras.models import load_model model = load_model('malicious.keras')
Protection:
1. Update Keras:
- Upgrade to Keras version 3.9 or later:
pip install --upgrade keras
2. Validate Sources:
- Only load models from trusted sources.
- Verify the integrity of `.keras` archives before loading.
3. Sandboxing:
- Use a sandboxed environment to load untrusted models:
import os os.system('docker run --rm -v $(pwd):/models keras load_model /models/trusted.keras')
4. Code Review:
- Audit `config.json` files in `.keras` archives for suspicious entries.
Detection:
1. Static Analysis:
- Use tools like `bandit` to scan for unsafe deserialization:
bandit -r keras/
2. Monitoring:
- Monitor for unexpected Python module imports during model loading.
References:
Reported By: https://github.com/advisories/GHSA-48g7-3x6r-xfhp
Extra Source Hub:
Undercode
