Cybersecurity researchers have found a essential security flaw in a man-made intelligence (AI)-as-a-service supplier Replicate that might have allowed risk actors to realize entry to proprietary AI fashions and delicate data.
“Exploitation of this vulnerability would have allowed unauthorized entry to the AI prompts and outcomes of all Replicate’s platform clients,” cloud security agency Wiz mentioned in a report revealed this week.
The difficulty stems from the truth that AI fashions are usually packaged in codecs that permit arbitrary code execution, which an attacker might weaponize to carry out cross-tenant assaults by the use of a malicious mannequin.
Replicate makes use of an open-source software referred to as Cog to containerize and bundle machine studying fashions that might then be deployed both in a self-hosted surroundings or to Replicate.
Wiz mentioned that it created a rogue Cog container and uploaded it to Replicate, in the end using it to realize distant code execution on the service’s infrastructure with elevated privileges.
“We suspect this code-execution method is a sample, the place firms and organizations run AI fashions from untrusted sources, though these fashions are code that might probably be malicious,” security researchers Shir Tamari and Sagi Tzadik mentioned.
The assault method devised by the corporate then leveraged an already-established TCP connection related to a Redis server occasion inside the Kubernetes cluster hosted on the Google Cloud Platform to inject arbitrary instructions.
What’s extra, with the centralized Redis server getting used as a queue to handle a number of buyer requests and their responses, it might be abused to facilitate cross-tenant assaults by tampering with the method as a way to insert rogue duties that might impression the outcomes of different clients’ fashions.
These rogue manipulations not solely threaten the integrity of the AI fashions, but in addition pose important dangers to the accuracy and reliability of AI-driven outputs.
“An attacker might have queried the non-public AI fashions of consumers, probably exposing proprietary data or delicate information concerned within the mannequin coaching course of,” the researchers mentioned. “Moreover, intercepting prompts might have uncovered delicate information, together with personally identifiable data (PII).
The shortcoming, which was responsibly disclosed in January 2024, has since been addressed by Replicate. There is no such thing as a proof that the vulnerability was exploited within the wild to compromise buyer information.
The disclosure comes just a little over a month after Wiz detailed now-patched dangers in platforms like Hugging Face that might permit risk actors to escalate privileges, acquire cross-tenant entry to different clients’ fashions, and even take over the continual integration and steady deployment (CI/CD) pipelines.
“Malicious fashions characterize a serious danger to AI methods, particularly for AI-as-a-service suppliers as a result of attackers could leverage these fashions to carry out cross-tenant assaults,” the researchers concluded.
“The potential impression is devastating, as attackers might be able to entry the thousands and thousands of personal AI fashions and apps saved inside AI-as-a-service suppliers.”