CVE-2021-29541 in TensorFlowinfo

Summary

by MITRE • 05/15/2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null pointer in `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L67-L74) does not fully validate the `data_splits` argument. This would result in `ngrams_data`(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L106-L110) to be a null pointer when the output would be computed to have 0 or negative size. Later writes to the output tensor would then cause a null pointer dereference. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/19/2021

The vulnerability identified as CVE-2021-29541 affects TensorFlow, a widely-used open-source machine learning platform that enables developers to build and deploy machine learning models across various environments. This security flaw resides within the tf.raw_ops.StringNGrams operation, which is designed to generate n-grams from string data, a common preprocessing step in natural language processing tasks. The issue stems from insufficient input validation within the string n-grams kernel implementation, creating a potential pathway for denial-of-service attacks and arbitrary code execution under specific conditions.

The technical root cause of this vulnerability manifests in the StringNGrams operation's handling of the data_splits argument, which is processed in the string_ngrams_op.cc source file. When the implementation fails to properly validate the data_splits parameter, it can lead to scenarios where the ngrams_data pointer becomes null during computation. This occurs specifically when the output tensor is calculated to have zero or negative size, a condition that the existing validation logic does not adequately address. The flaw is particularly concerning because it operates at the kernel level of TensorFlow's computation graph, where the null pointer dereference happens during tensor output processing, as evidenced by the code references to lines 67-74 and 106-110 in the implementation file.

The operational impact of this vulnerability extends beyond simple denial-of-service conditions, as it could potentially enable more sophisticated attack vectors. When the ngrams_data pointer becomes null, any subsequent attempts to write data to the output tensor will result in a null pointer dereference, causing the application to crash or terminate unexpectedly. This behavior aligns with CWE-476, which describes null pointer dereference vulnerabilities, and represents a classic example of how insufficient input validation can lead to system instability. The vulnerability affects multiple TensorFlow versions including 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0, indicating a widespread impact across the platform's supported release cycle. Attackers could exploit this weakness by crafting malicious input data that triggers the specific validation failure, potentially leading to service disruption in production environments that rely on TensorFlow for machine learning workloads.

The remediation strategy for CVE-2021-29541 involves implementing comprehensive input validation for the data_splits argument within the StringNGrams operation. The fix requires ensuring that the implementation properly validates all input parameters before proceeding with tensor computations, specifically addressing the edge cases where output size calculations might result in zero or negative values. This approach aligns with the principle of defensive programming and follows the ATT&CK framework's mitigation strategies for preventing code execution vulnerabilities. The TensorFlow team has addressed this issue by incorporating the fix into TensorFlow 2.5.0, with cherry-picked updates for older supported versions, demonstrating the platform's commitment to maintaining security in its supported release branches. Organizations using affected TensorFlow versions should prioritize updating to patched releases to eliminate this vulnerability from their machine learning pipelines, as the flaw could be exploited in environments where TensorFlow processes untrusted input data, particularly in web applications or API services that accept user-provided text for n-gram generation.

Responsible

GitHub, Inc.

Reservation

03/30/2021

Disclosure

05/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!