CVE-2021-29602 in TensorFlow
Summary
by MITRE • 05/15/2021
TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthwiseConv` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c818198a5b2c0cbbeca5a1e833bc8/tensorflow/lite/kernels/depthwise_conv.cc#L287-L288). An attacker can craft a model such that `input`'s fourth dimension would be 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2021
The vulnerability identified as CVE-2021-29602 affects the TensorFlow Lite framework through a critical division by zero error in the DepthwiseConv operator implementation. This flaw exists within the tensorflow/lite/kernels/depthwise_conv.cc file at lines 287-288, where the code fails to properly validate input dimensions before performing mathematical operations. The vulnerability specifically manifests when an attacker crafts a malicious machine learning model that manipulates the fourth dimension of input tensors to have a value of zero, creating a scenario where division operations would attempt to divide by zero, leading to potential application crashes or system instability.
The technical implementation of this vulnerability stems from inadequate input validation within the DepthwiseConv TFLite operator. When processing neural network models, the operator expects specific dimensional constraints for input tensors, particularly regarding the fourth dimension which typically represents channels or features. The code does not include proper bounds checking or dimension validation before executing division operations, creating a path where maliciously constructed models can trigger arithmetic exceptions. This type of vulnerability aligns with CWE-369, which specifically addresses the division by zero error condition that can occur when programs fail to validate input data before performing mathematical operations.
The operational impact of this vulnerability extends beyond simple application crashes, as it represents a potential denial of service vector that could affect any system utilizing TensorFlow Lite for mobile or embedded machine learning applications. Attackers could exploit this vulnerability by submitting specially crafted models to systems running TensorFlow Lite, potentially causing service disruption or system instability. The vulnerability affects multiple TensorFlow versions including 2.1.4, 2.2.3, 2.3.3, 2.4.2, and the affected versions are still within supported release ranges, making this a significant concern for organizations maintaining legacy TensorFlow implementations. The fix addresses the root cause by implementing proper input validation to prevent zero-dimensional inputs from reaching the problematic division operations.
Mitigation strategies for CVE-2021-29602 should prioritize immediate deployment of patched TensorFlow versions, specifically TensorFlow 2.5.0 and the cherry-picked versions for older supported releases. Organizations should implement model validation protocols that verify input tensor dimensions before processing, particularly for fourth dimension values that could lead to division operations. The vulnerability demonstrates the importance of input sanitization in machine learning frameworks, aligning with ATT&CK technique T1059.001 for operating system command execution through malformed inputs. Additionally, security teams should consider implementing runtime monitoring for unusual division operations and establish procedures for validating third-party machine learning models before deployment in production environments to prevent exploitation of similar validation gaps in other operators or components.