Rasa (un)authenticated Remote Code Execution via remote model loading (CVE-2024-49375)
During an internal penetration test a product was checked which uses Rasa to build a conversational AI. A mixture of penetration testing and source code analysis led to the discovery of an (un)authenticated Remote Code Execution.
TL;DR
Which versions are affected?
- rasa (pip) <3.6.21
- rasa-pro (pip) <3.10.12, <3.9.16, <3.8.18
Are fixed versions available?
Yes, namely:
- rasa (pip) 3.6.21
- rasa-pro (pip) 3.10.12, 3.9.16, 3.8.18
Does Rasa need to be patched?
Yes and as fast as possible due to its severity (critical, 9.1/10, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Additional information on the fix and the mitigation advice can be found at GitHub.
The RCE vulnerability affects systems running Rasa as follows:
- Default configuration: not affected by RCE
- HTTP API enabled (
--enable-api
): affected- No authentication method in use: unauthenticated RCE
- Token Based Auth: authenticated RCE
- JWT Based Auth: authenticated RCE
Is an exploit available?
Yes, the exploit can be found at the end of the full advisory and here.
Links:
https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v
https://nvd.nist.gov/vuln/detail/cve-2024-49375
Credits
Julian Scheid (julian.scheid@telekom.de)
Technical deep dive
For those interested in taking a technical deep dive in how the vulnerability was discovered and how the exploit has been developed, reading the full advisory is highly recommended.