CVE-2021-29589 in TensorFlow
Summary
by MITRE • 05/15/2021
TensorFlow is an end-to-end open source platform for machine learning. The reference implementation of the `GatherNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h#L966). An attacker can craft a model such that `params` input would be an empty tensor. In turn, `params_shape.Dims(.)` would be zero, in at least one dimension. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2021
The vulnerability identified as CVE-2021-29589 affects TensorFlow's TensorFlow Lite implementation through the `GatherNd` operator, which is a fundamental component for indexing and gathering elements from tensors in machine learning models. This issue represents a critical division by zero error that occurs within the reference implementation of the operator, specifically in the file reference_ops.h at line 966. The flaw manifests when an attacker crafts a malicious model that provides an empty tensor as the `params` input parameter, causing the dimension calculation to result in zero values that subsequently trigger the division operation.
The technical exploitation of this vulnerability relies on the specific conditions where the `params_shape.Dims(.)` function returns zero in at least one dimension of the tensor. This condition creates a scenario where the division operation within the `GatherNd` implementation attempts to divide by zero, leading to potential system crashes or undefined behavior in applications that utilize TensorFlow Lite. The vulnerability is particularly concerning because it can be triggered through model manipulation without requiring complex attack vectors, making it accessible to adversaries who can influence model inputs. This flaw falls under CWE-369, which specifically addresses the division by zero error condition that can lead to application crashes and potential denial of service scenarios.
The operational impact of this vulnerability extends across multiple TensorFlow versions including 2.5.0 and its predecessors 2.4.2, 2.3.3, 2.2.3, and 2.1.4, all of which remain within supported release ranges. When exploited, the division by zero error can cause complete application termination or system instability, particularly affecting mobile and embedded applications that rely on TensorFlow Lite for machine learning inference tasks. The vulnerability affects systems where TensorFlow Lite is deployed in production environments, including mobile applications, edge devices, and IoT systems that utilize machine learning capabilities. The fix implementation requires careful consideration of backward compatibility while ensuring that all supported versions receive the necessary patches to prevent exploitation.
Organizations utilizing TensorFlow Lite should immediately implement mitigations by upgrading to TensorFlow 2.5.0 or applying the cherry-picked fixes to their supported versions. The vulnerability demonstrates the importance of input validation in machine learning frameworks, particularly when dealing with tensor operations that assume non-zero dimensions. Security practitioners should monitor for potential exploitation attempts and implement defensive measures including model validation, input sanitization, and runtime monitoring to detect anomalous behavior that might indicate attempted exploitation of this division by zero condition. This vulnerability also highlights the need for comprehensive testing of edge cases in mathematical operations within machine learning frameworks, particularly those involving tensor indexing and gathering operations that are critical for model functionality.