Hugging Face cross-tenant access

Type

Research

Actors

Pub. date

April 4, 2024

Initial access

Cloud native misconfigWeb vulnerability

Impact

Resp. disclosure

Observed techniques

Malicious AI model IMDS abuse

Targeted technologies

Kubernetes

References

https://www.wiz.io/blog/wiz-and-hugging-face-address-risks-to-ai-infrastructurehttps://huggingface.co/blog/hugging-face-wiz-security-blog

Crying out Cloud ep.

https://www.wiz.io/crying-out-cloud/croc-talks-helping-secure-hugging-face-hub-special-guest-shir-tamari

Status

Finalized

Last edited

Jun 20, 2024 12:24 PM

Wiz found two critical security risks that were present in Hugging Face’s environment:

Shared inference infrastructure takeover risk – By-design, inference infrastructure environments run untrusted, potentially malicious models. A malicious model could have escalated privileges and gained cross-tenant access to other customers' model data.
Shared CI/CD takeover risk – An attacker using a specially-crafted malicious AI app could have compromised Hugging Face's CI/CD cluster, theoretically executing a supply chain attack against their customers.

Specifically, Wiz Research showed that an attacker targeting Hugging Face could have achieved the following:

Remote code execution (RCE) via specially crafted pickle file

Wiz Research were able to achieve remote code execution through a specially-crafted pickle file (a type of AI model format). To achieve this, they cloned a legitimate model, which already includes all of the necessary files that instruct Hugging Face how this model should be run (i.e., config.json), and modified it in a way that would run a reverse shell upon loading. They then uploaded a modified model to Hugging Face as a private model and attempted to interact with it using the Inference API feature, which demonstrated that they had successfully deployed a reverse shell.

Using this access, Wiz Research were then able to retrieve credentials from the IMDS and explore the larger environment their model was running in, and by abusing common EKS misconfigurations were able move laterally and achieve cross-tenant access to other customers’ models, spaces and datasets.

Remote code execution (RCE) via specially crafted Dockerfile

Spaces in Hugging Face allow users to submit a Dockerfile which enables hosting their AI-powered applications on Hugging Face’s infrastructure for the purpose of collaborated development and showcasing the application publicly. Wiz Research were able to achieve remote code execution by providing a Dockerfile that executes a malicious payload via the CMD instruction, which specifies which program to run once the docker container is started. They were also able to use the RUN instruction to execute code within the build process, which would have potentially allowed them to reach other environments.

Write access to centralized container registry

After achieving remote code execution within Hugging Face's environment, Wiz Research then identified network connections made from their machine to an internal container registry to which their built layers were pushed to. This container registry served not only their machine but all of Hugging Face’s other customers as well. Due to a scoping misconfiguration, it was possible to pull and push (and thereby overwrite) all images available on that container registry, which could have facilitated a supply chain attack.