Exécution de code à distance dans berriai/litellm
Plateforme
python
Composant
berriai/litellm
A critical Remote Code Execution (RCE) vulnerability has been identified in the berriai/litellm Python library, affecting versions up to the latest release. This vulnerability stems from the unsafe use of the eval function within the litellm.get_secret() method when interacting with Google KMS. Attackers can leverage this flaw to execute arbitrary code on the server, potentially leading to complete system compromise.
Détecte cette CVE dans ton projet
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2024-4264 is severe. An attacker can exploit this vulnerability by injecting malicious values into environment variables, specifically targeting the /config/update endpoint to modify settings in proxyserverconfig.yaml. Successful exploitation allows for arbitrary code execution on the server hosting the litellm instance. This could lead to data exfiltration, system takeover, and potentially lateral movement within the network if the server has access to sensitive resources. The ability to modify KMS configurations further amplifies the risk, as attackers could compromise encryption keys and decrypt sensitive data.
Contexte d'Exploitationtraduction en cours…
This vulnerability is considered high probability due to the ease of exploitation and the critical nature of RCE. Public proof-of-concept (PoC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2024-05-18. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active exploitation campaigns are possible given the ease of exploitation and the potential impact.
Qui Est à Risquetraduction en cours…
Organizations using litellm for LLM orchestration, particularly those leveraging Google KMS for secret management, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's access to the /config/update endpoint.
Étapes de Détectiontraduction en cours…
• python / server:
import os
import re
# Check for suspicious environment variables
env_vars = os.environ
for var, value in env_vars.items():
if re.search(r'(eval|exec|system|subprocess)', value, re.IGNORECASE):
print(f"Suspicious environment variable detected: {var}={value}")• linux / server:
journalctl -u litellm -f | grep -i "eval"• generic web:
curl -I 'http://your-litellm-server/config/update' # Check for unusual headers or request parametersChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
3.28% (percentile 87%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-4264 is to upgrade to a patched version of litellm as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Restrict access to the /config/update endpoint to trusted users only. Implement strict input validation and sanitization on all data received through this endpoint. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests containing suspicious code. Monitor system logs for unusual activity related to the /config/update endpoint and KMS interactions.
Comment corriger
Mettez à jour la bibliothèque litellm vers la dernière version disponible. Cela corrigera la vulnérabilité d'exécution de code à distance. Assurez-vous également de mettre à jour toutes les configurations relatives à Google KMS pour éviter de futures vulnérabilités.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-4264 — Remote Code Execution in litellm?
CVE-2024-4264 is a critical RCE vulnerability in the litellm Python library, allowing attackers to execute arbitrary code via the /config/update endpoint and KMS configurations.
Am I affected by CVE-2024-4264 in litellm?
You are affected if you are using litellm versions less than or equal to the latest release and expose the /config/update endpoint.
How do I fix CVE-2024-4264 in litellm?
Upgrade to the patched version of litellm as soon as it's available. Until then, restrict access to the /config/update endpoint and implement input validation.
Is CVE-2024-4264 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest active exploitation is possible.
Where can I find the official litellm advisory for CVE-2024-4264?
Refer to the litellm GitHub repository and their official communication channels for updates and advisories regarding CVE-2024-4264.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.