CVE-2021-29522 in TensorFlowinfo

Summary

by MITRE • 05/15/2021

TensorFlow is an end-to-end open source platform for machine learning. The `tf.raw_ops.Conv3DBackprop*` operations fail to validate that the input tensors are not empty. In turn, this would result in a division by 0. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a91bb59769f19146d5a0c20060244378e878f140/tensorflow/core/kernels/conv_grad_ops_3d.cc#L430-L450) does not check that the divisor used in computing the shard size is not zero. Thus, if attacker controls the input sizes, they can trigger a denial of service via a division by zero error. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/16/2021

The vulnerability described in CVE-2021-29522 affects TensorFlow's implementation of three-dimensional convolution operations, specifically the `tf.raw_ops.Conv3DBackprop*` functions that are part of the machine learning framework's computational graph. This flaw represents a classic denial of service condition that arises from inadequate input validation within the tensor processing pipeline. The vulnerability exists in the convolution gradient computation operations where TensorFlow fails to validate that input tensors contain valid data dimensions before proceeding with mathematical operations that depend on these dimensions.

The technical implementation of this vulnerability stems from a critical oversight in the shard size calculation logic within the convolution gradient operations. The affected code segment in TensorFlow's kernel implementation does not perform proper validation to ensure that divisor values used in calculating shard sizes are not zero. This particular implementation flaw is documented in the TensorFlow source code repository at the specified location where the division operations occur without proper boundary checks. When malicious actors provide carefully crafted input tensor dimensions that result in zero-sized divisors, the system encounters a division by zero error that crashes the processing pipeline.

The operational impact of this vulnerability extends beyond simple service disruption to represent a potential attack vector that could be exploited in environments where TensorFlow processes untrusted input data. The vulnerability affects multiple TensorFlow versions including 2.1.4, 2.2.3, 2.3.3, 2.4.2, and the upcoming 2.5.0 release, indicating that this is a widespread issue within the framework's core operations. Attackers who can control input tensor sizes can trigger the division by zero condition, leading to complete system crashes and denial of service conditions that would prevent legitimate processing operations from completing successfully.

This vulnerability aligns with CWE-369, which specifically addresses the issue of division by zero in software implementations. The flaw demonstrates poor input validation practices that are commonly exploited in distributed computing environments where machine learning frameworks process data from multiple sources. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1499.004 which involves network denial of service attacks through exploitation of resource exhaustion or calculation errors. The vulnerability represents a particularly concerning issue because it can be triggered through normal computational operations without requiring specialized attack vectors or privilege escalation.

The fix for this vulnerability involves implementing proper input validation checks that ensure tensor dimensions are not empty before proceeding with gradient computation operations. TensorFlow developers have addressed this issue by incorporating validation logic that prevents the execution path from reaching the division operations when input tensors contain invalid dimensions. The patch implementation specifically targets the shard size calculation logic to ensure that divisor values are properly validated before mathematical operations are performed, thereby preventing the division by zero condition from occurring in production environments.

Organizations utilizing TensorFlow in production environments should prioritize immediate patching of affected versions to prevent potential exploitation. The vulnerability's impact is particularly severe in cloud environments or multi-tenant systems where TensorFlow instances might process inputs from untrusted sources, making the system susceptible to malicious input manipulation. Security teams should also consider implementing monitoring for unusual tensor dimension patterns that might indicate attempted exploitation of this vulnerability, as well as establishing proper input sanitization protocols for any TensorFlow-based applications that process external data feeds. The vulnerability serves as a reminder of the critical importance of input validation in mathematical computing frameworks where numerical operations can lead to system crashes when proper boundary conditions are not enforced.

Responsible

GitHub, Inc.

Reservation

03/30/2021

Disclosure

05/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!