NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

This security issue gives an attacker the ability to execute arbitrary code, alter data, or access sensitive information on systems running vulnerable NVIDIA TensorRT-LLM versions by exploiting improper pickle deserialization in the Python executor's Inter-Process Communication channel. The following protection guardrails can further prevent the following steps an attacker can take: When an attacker attempts to inject a malicious pickled object into the IPC channel, Python Deserialization Protection intercepts the deserialization process, applying security policies to restrict function calls from the deserialized object, thereby aiming to block the execution of malicious functions designed for arbitrary code execution or unauthorized data access before full impact. Should this initial payload attempt to execute operating system commands, for example, to gather system information or run further malicious scripts, Python OS Command Injection Prevention monitors the Python runtime environment and blocks these unauthorized command execution attempts. If the attacker's code then tries to establish a persistent command and control channel, Reverse Shell Protection prevents the binding of shell STDIN/STDOUT/STDERR to network sockets, effectively blocking reverse shell attempts. In scenarios where the vulnerable software runs within a container and the attacker tries to introduce new malicious binaries or scripts not part of the original image, such as a tool to escalate privileges, Container Drift Protection (Binaries & Scripts) would block their execution. Complementing this, Process Path Exec Allow prevents the execution of any attacker-introduced executables or scripts if they are saved to and run from non-allowlisted filesystem paths, like a temporary download folder. To counter data theft or unauthorized modification, if the malicious code attempts to read or alter files designated as sensitive, such as configuration files, private keys, or even the LLM's model weights, Sensitive File Access monitors and can block these unauthorized file operations. Finally, if the attacker attempts to exfiltrate stolen sensitive information by having the compromised TensorRT-LLM process initiate outbound network connections to an attacker-controlled server, or even attempts to download additional tools, Process Socket Deny can deny these socket operations if the process is not on an explicit allowlist for network activity.

• T1059.006: Command and Scripting Interpreter: Python: The vulnerability stems from the improper handling of Inter-Process Communication (IPC) within the Python executor component, specifically through the use of the Python 'pickle' module for serialization and deserialization of untrusted data. This technique of exploiting deserialization vulnerabilities is commonly associated with executing arbitrary code. Therefore, the attacker could exploit this vulnerability to execute arbitrary malicious code on the system, which aligns with the MITRE ATT&CK Technique T1059.006: Command and Scripting Interpreter: Python. This technique ID applies as the attacker leverages the Python environment to execute scripts or commands via deserialization attacks.
• T1003: OS Credential Dumping: A local attacker with access to the system could exploit this vulnerability to tamper with data or disclose sensitive information. The ability to tamper with data or disclose sensitive information falls under the MITRE ATT&CK Technique T1003: OS Credential Dumping, where attackers attempt to gain access to credentials and other sensitive information. Although the article doesn't explicitly mention credential dumping, the risk of sensitive information disclosure through IPC vulnerabilities suggests potential exposure of credentials.

‍