CVE-2021-29582 in TensorFlowinfo

Summary

by MITRE • 05/15/2021

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/19/2021

The vulnerability identified as CVE-2021-29582 affects TensorFlow, a widely used open source machine learning platform that powers numerous applications across industries. This issue stems from insufficient input validation within the tf.raw_ops.Dequantize operation, creating a potential memory access violation that could be exploited by malicious actors. The flaw specifically manifests in the dequantization kernel implementation where the system processes min_range and max_range tensors without proper shape verification, leading to a scenario where heap memory boundaries may be exceeded during processing operations.

The technical implementation of this vulnerability occurs in the TensorFlow kernel source code at lines 106-131 of the dequantize_op.cc file, where the parallel access pattern for min_range and max_range tensors is executed without ensuring they possess identical dimensional structures. This lack of shape validation creates a classic out-of-bounds memory read condition that can be triggered by an attacker providing malicious tensor inputs with mismatched dimensions. The vulnerability classifies under CWE-125, which represents "Out-of-bounds Read," and aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as exploitation could occur through crafted machine learning model inputs.

The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a potential vector for arbitrary code execution within environments that process untrusted TensorFlow models. Attackers could leverage this flaw to read sensitive data from adjacent memory regions or potentially cause system instability through memory access violations. The vulnerability affects multiple TensorFlow versions including 2.1.4, 2.2.3, 2.3.3, 2.4.2, and the affected releases are all within supported maintenance windows, making this issue particularly concerning for production environments that may be running older TensorFlow versions. Organizations using TensorFlow for processing external data inputs or in security-sensitive applications should consider this vulnerability as a high-priority concern requiring immediate remediation.

Mitigation strategies for CVE-2021-29582 should prioritize updating affected TensorFlow installations to versions 2.5.0 or later, with specific cherry-pick updates for the supported maintenance releases. System administrators should implement additional input validation layers when processing TensorFlow models from untrusted sources, and organizations should conduct comprehensive vulnerability assessments across their machine learning pipelines. The fix implemented addresses the core issue by adding proper shape validation between the min_range and max_range tensors before parallel access operations, preventing the out-of-bounds memory read condition. Security teams should also consider monitoring for unusual memory access patterns and implement network segmentation for systems processing sensitive data through TensorFlow operations, as this vulnerability could potentially enable information disclosure or denial of service conditions in affected environments.

Responsible

GitHub, Inc.

Reservation

03/30/2021

Disclosure

05/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00198

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!