Cybersecurity researchers have disclosed a crucial safety flaw within the Lightning AI Studio improvement platform that, if efficiently exploited, may permit for distant code execution.
The vulnerability, rated a CVSS rating of 9.4, permits “attackers to potentially execute arbitrary commands with root privileges” by exploiting a hidden URL parameter, utility safety agency Noma mentioned in a report shared with The Hacker Information.
“This level of access could hypothetically be leveraged for a range of malicious activities, including the extraction of sensitive keys from targeted accounts,” researchers Sasi Levi, Alon Tron, and Gal Moyal mentioned.
The problem is embedded in a chunk of JavaScript code that might facilitate unfettered entry to a sufferer’s improvement setting, in addition to run arbitrary instructions on an authenticated goal in a privileged context.
Noma mentioned it discovered a hidden parameter known as “command” in user-specific URLs – e.g., “lightning.ai/PROFILE_USERNAME/vision-model/studios/STUDIO_PATH/terminal?fullScreen=true&commmand=cmVzc…” – which may very well be used to move a Base64-encoded instruction to be executed on the underlying host.
Even worse, the loophole may very well be weaponized to run instructions that may exfiltrate crucial info similar to entry tokens and person info to an attacker-controlled server.
Profitable exploitation of the vulnerability implies that it may allow an adversary to execute arbitrary privileged instructions and acquire root entry, harvest delicate information, and manipulate the file system to create, delete, or modify information on the server.
All an attacker wants to tug this off is prior data of a profile username and their related Lightning AI Studio, particulars which might be publicly obtainable through the Studio templates gallery.
Armed with this info, the risk actor can then craft a malicious hyperlink such that it triggers code execution on the recognized Studio below root permissions. Following accountable disclosure on October 14, 2024, the issue has been resolved by the Lightning AI workforce as of October 25.
“Vulnerabilities like these underscore the importance of mapping and securing the tools and systems used for building, training, and deploying AI models because of their sensitive nature,” the researchers mentioned.
