Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in the AI Tensor Engine for ROCm allows unauthenticated remote attackers to execute arbitrary code by sending a malicious data payload. This could enable attackers to run unauthorized commands on affected systems within a cluster network. The main concern is confirming relevance and exposure.
- Malicious data can execute unauthorized commands.
- It impacts systems running AI Tensor Engine for ROCm.
- Confirm relevance and exposure of AI Tensor Engine.
Attack Path
How an attacker could exploit the issue
An attacker could gain remote code execution by sending a specially crafted message containing a malicious pickle payload to a susceptible AI Tensor Engine for ROCm (AITER) MessageQueue. This could occur if the attacker can reach an XPUB endpoint on the cluster network or forge a Handle with an attacker-controlled address, bypassing any security checks and allowing arbitrary code to run on remote reader workers.
- Network access to cluster endpoints required.
- Sending a malicious pickle payload triggers vulnerability.
- Arbitrary code execution on reader workers.
Live Threat
Current exploitation, exposure, and threat context
Unauthenticated remote code execution could impact inference worker processes on every remote reader worker. This occurs when an attacker can reach a specific endpoint or forge a handle, allowing them to send a malicious pickle payload. The vulnerability is present in the MessageQueue.recv() function when no authentication, HMAC, or format validation is applied.
- Inference worker processes.
- Network reachable endpoint or forged handle.
- Arbitrary code execution on readers.
Operational Fix
Recommended remediation, mitigation, and detection steps
The AI Tensor Engine for ROCm (AITER) vulnerability likely impacts teams responsible for AI/ML infrastructure, platform engineering, or those managing GPU compute clusters. The immediate first step is to identify all AITER deployments, confirm their network reachability and criticality, and locate the specific system or application owner responsible for its maintenance and security. A risk-based remediation plan should then be developed, coordinating with the vendor if necessary.
- Confirm AITER deployment and criticality.
- Identify system or application owner.
- Plan remediation based on risk.