CVE-2022-35973 in TensorFlowinfo

Summary

by MITRE • 09/17/2022

TensorFlow is an open source platform for machine learning. If `QuantizedMatMul` is given nonscalar input for: `min_a`, `max_a`, `min_b`, or `max_b` It gives a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/19/2022

The vulnerability identified as CVE-2022-35973 affects TensorFlow, a widely-used open source machine learning platform that serves as the foundation for numerous artificial intelligence applications across industries. This issue specifically targets the QuantizedMatMul operation within TensorFlow's computational graph execution, which is designed to perform matrix multiplication operations on quantized data types to optimize performance and reduce memory usage in neural network inference. The flaw manifests when the QuantizedMatMul function receives non-scalar input values for the parameters min_a, max_a, min_b, or max_b, which are typically used to define the quantization range for input tensors. These parameters should logically accept scalar values to specify the minimum and maximum bounds for quantization, but the implementation fails to properly validate input dimensions, creating a critical security gap.

The technical implementation of this vulnerability stems from insufficient input validation within TensorFlow's quantized matrix multiplication kernel. When nonscalar inputs are provided for the quantization parameters, the function fails to properly handle the memory access patterns and parameter processing, leading to a segmentation fault or segfault. This occurs because the code assumes scalar input values and attempts to access memory locations that are either invalid or improperly allocated when multidimensional arrays are passed. The segfault represents a classic buffer overread or invalid memory access condition that can be exploited by malicious actors to cause the application to crash or terminate unexpectedly. This behavior aligns with CWE-125, which describes out-of-bounds read vulnerabilities, and CWE-787, which covers out-of-bounds write conditions, both of which are common in memory safety issues. The vulnerability operates at the kernel level within TensorFlow's execution engine, making it particularly dangerous as it can be triggered during normal model execution.

The operational impact of this vulnerability extends beyond simple denial of service, as it represents a potential vector for more sophisticated attacks within machine learning environments. While the immediate effect is a segmentation fault that causes service interruption, the broader implications include the possibility of remote code execution if the vulnerability exists in server environments where TensorFlow processes untrusted input data. Attackers could potentially leverage this weakness in applications that process user-provided models or parameters, leading to complete system compromise. The vulnerability affects multiple TensorFlow versions including 2.7.2, 2.8.1, 2.9.1, and the unreleased 2.10.0, indicating that it has been present for an extended period and affects a substantial portion of the user base. Organizations relying on TensorFlow for production machine learning workloads face significant risk, as this vulnerability could be exploited to disrupt critical AI services, particularly in cloud environments where TensorFlow-based models serve numerous applications and users.

The mitigation strategy for CVE-2022-35973 involves immediate deployment of the patched versions of TensorFlow, with the fix implemented through GitHub commit aca766ac7693bf29ed0df55ad6bfcc78f35e7f48. This patch specifically addresses the input validation logic for the QuantizedMatMul operation, ensuring that nonscalar inputs for quantization parameters are properly rejected or handled without causing memory access violations. The fix has been incorporated into TensorFlow 2.10.0, with cherry-picked updates for the supported maintenance releases 2.9.1, 2.8.1, and 2.7.2 to ensure backward compatibility for organizations unable to immediately upgrade to the latest version. Security practitioners should prioritize patching affected systems, as there are no known workarounds for this vulnerability. Organizations should implement comprehensive monitoring for segmentation fault occurrences in TensorFlow-based applications and consider implementing input validation layers at the application level to prevent malformed quantization parameters from reaching the core TensorFlow engine. The vulnerability demonstrates the importance of input validation in mathematical and computational libraries, particularly in AI frameworks where complex parameter handling can create unexpected execution paths that bypass normal security controls. This issue highlights the need for robust security testing of machine learning frameworks, particularly around parameter validation and memory management, as these components form the foundation of secure AI deployment in enterprise environments.

Responsible

GitHub, Inc.

Reservation

07/15/2022

Disclosure

09/17/2022

Moderation

accepted

CPE

ready

EPSS

0.00423

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!