CVE-2021-37655 in TensorFlowinfo

Summary

by MITRE • 08/13/2021

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to `tf.raw_ops.ResourceScatterUpdate`. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L919-L923) has an incomplete validation of the relationship between the shapes of `indices` and `updates`: instead of checking that the shape of `indices` is a prefix of the shape of `updates` (so that broadcasting can happen), code only checks that the number of elements in these two tensors are in a divisibility relationship. We have patched the issue in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/17/2021

The vulnerability CVE-2021-37655 affects TensorFlow, a widely used open source machine learning platform that powers numerous applications across industries. This issue resides in the `tf.raw_ops.ResourceScatterUpdate` operation within TensorFlow's kernel implementation, specifically in the resource variable operations file. The flaw represents a classic buffer over-read condition that occurs when processing tensor operations involving resource variables, making it particularly dangerous in environments where TensorFlow processes untrusted input data from external sources.

The technical flaw stems from incomplete input validation within the shape relationship checking mechanism between the `indices` and `updates` parameters. The implementation fails to properly verify that the shape of `indices` forms a valid prefix of the shape of `updates`, which is essential for proper broadcasting operations. Instead, the code only validates that the number of elements in both tensors maintains a divisibility relationship, creating a gap in validation logic that allows attackers to craft malicious inputs. This incomplete validation pattern creates a condition where an attacker can manipulate tensor shapes to cause the system to read memory locations beyond the bounds of heap-allocated data structures, potentially leading to information disclosure or system instability.

The operational impact of this vulnerability extends across multiple TensorFlow versions, with affected releases including TensorFlow 2.3.4, 2.4.3, 2.5.1, and earlier versions that remain in support. Attackers exploiting this vulnerability could potentially trigger unauthorized memory access patterns that might reveal sensitive information stored in adjacent memory regions, or in more severe cases, cause application crashes that could be leveraged in denial-of-service attacks. The vulnerability is particularly concerning in production environments where TensorFlow processes data from untrusted sources, such as web applications or data ingestion pipelines, as it could enable attackers to extract confidential information or disrupt service availability.

Security practitioners should prioritize patching affected systems with TensorFlow 2.6.0 or the cherry-picked fixes for versions 2.5.1, 2.4.3, and 2.3.4, as these releases contain the necessary validation improvements. The fix addresses the core issue by implementing proper shape prefix validation, ensuring that the relationship between tensor dimensions follows the expected broadcasting rules. This vulnerability aligns with CWE-129, which covers improper validation of array index bounds, and could be categorized under ATT&CK technique T1059 for command and control through software exploitation. Organizations should also implement monitoring for unusual tensor operation patterns and consider implementing input sanitization layers for TensorFlow operations that process external data, particularly those involving resource variable updates. The vulnerability demonstrates the critical importance of thorough input validation in machine learning frameworks where tensor operations can directly influence memory management and system stability.

Responsible

GitHub, Inc.

Reservation

07/29/2021

Disclosure

08/13/2021

Moderation

accepted

CPE

ready

EPSS

0.00167

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!