CVE-2021-41228 in TensorFlow
Summary
by MITRE • 11/06/2021
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/10/2021
TensorFlow's saved_model_cli tool contains a critical code injection vulnerability that stems from its improper handling of user-supplied input through the eval function. This flaw exists in multiple TensorFlow versions and represents a significant security risk that allows attackers to execute arbitrary code on systems where the CLI tool operates. The vulnerability specifically manifests when the tool processes user-provided strings without adequate sanitization or validation, creating an environment where malicious input can be interpreted and executed as code. The flaw directly aligns with CWE-94, which defines improper control of generation of code, and demonstrates how unsafe evaluation of dynamic code can lead to complete system compromise. The vulnerability is particularly concerning because it affects a tool designed for model management and inspection, which typically runs in environments where security controls may be relaxed.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to potentially escalate privileges, access sensitive data, or disrupt system operations. While the vulnerability requires manual execution of the CLI tool by an attacker, the implications remain severe given that TensorFlow is widely used in production environments. The security implications are further amplified by the fact that many organizations may not be aware of the risks associated with running such tools in production or development environments where they could be exposed to untrusted input. The vulnerability creates a persistent threat vector that can be exploited through various attack vectors including social engineering, compromised development environments, or insider threats. The tool's design inherently assumes trusted input, which creates a dangerous assumption that can be exploited in real-world scenarios.
The mitigation strategy implemented by TensorFlow developers involves adding a default-safe flag that prevents automatic execution of potentially malicious input, along with explicit user warnings about the dangers of processing untrusted data. This approach aligns with ATT&CK technique T1059.001, which covers command and scripting interpreter execution, and demonstrates a proper defense-in-depth strategy. The fix addresses the root cause by preventing the unsafe eval operations while maintaining backward compatibility through the safe flag mechanism. The patch has been integrated into TensorFlow 2.7.0 and backported to older supported versions, ensuring that organizations using legacy versions can also benefit from the protection. This comprehensive approach to vulnerability remediation ensures that the security fix reaches the maximum number of affected users while maintaining the tool's functionality for legitimate use cases. The implementation reflects industry best practices for secure coding and demonstrates the importance of input validation and code evaluation safety in machine learning tooling.