Critical Flaw in AI Python that could allow attackers to control your system [CVE-2024-34359]
CVE number = CVE-2024-34359
The vulnerability, identified by researcher Patrick Peng (also known as retr0reg) and designated as CVE-2024-34359, has been named “Llama Drama.” On Thursday, cybersecurity firm Checkpoint released a blog post detailing the flaw and its potential consequences.
CVE-2024-34359 is a critical vulnerability resulting from the improper use of the Jinja2 template engine within the llama_cpp_python
package. This package, intended to boost computational efficiency by merging Python with C++, is employed in AI applications. The vulnerability stems from the package processing template data without implementing necessary security measures, like sandboxing, which Jinja2 supports but was not utilized in this case. This lapse permits attackers to inject malicious templates, enabling the execution of arbitrary code on the host system.
Exploitation of this vulnerability can enable attackers to perform unauthorized actions, including data theft, system compromise, and disruption of operations. Given the critical role of AI systems in processing sensitive and extensive datasets, the repercussions of such vulnerabilities can be far-reaching, impacting everything from individual privacy to the operational integrity of organizations.
The identified vulnerability has been addressed in version 0.2.72 of the llama_cpp_python
package, which incorporates a fix that enhances sandboxing and input validation measures. Organizations are strongly advised to update to this latest version promptly to ensure the security of their systems.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.