Disgruntled users are pursuing offers for “full Netflix access” at steeply discounted rates. Read More
Related Posts
Microsoft fixes flaw after being called irresponsible by Tenable CEO
Microsoft fixes flaw after being called irresponsible by Tenable CEO
Microsoft fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers’ sensitive data after being called “grossly irresponsible” by Tenable’s CEO. […] Read More
BleepingComputer
MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days
MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days
[[{“value”:”
MITRE R&D network hacked in early January by a state-sponsored threat group that exploited an Ivanti zero-day vulnerability.
The post MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed
Critical AI Security Flaws Let Attackers Bypass Detection & Execute Remote Code
Critical AI Security Flaws Let Attackers Bypass Detection & Execute Remote Code
Artificial Intelligence (AI) has become one of the fastest-booming technologies of this decade, with several advancements in multiple industries.
In several cases, threat actors have exploited AI systems to retrieve sensitive information later used in other attack vectors.
However, such a booming technology must be vigilant towards vulnerabilities that arise during the development or run time.
A bug bounty program was created to protect Artificial intelligence that detected several vulnerabilities using custom-developed and open-source tools.
Document
Free Webinar
Fastrack Compliance: The Path to ZERO-Vulnerability
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Critical AI Security Flaws
According to the reports shared with Cyber Security News, there were more than 9 vulnerabilities detected this month. The most crucial ones were a Validation Bypass, Arbitrary File Overwrite via Malicious Source URL, and Local file inclusion.
The CVEs for these vulnerabilities were assigned as CVE-2024-0520 (10.0 – Critical), CVE-2023-6976 (8.8 – High), and CVE-2023-6977 (10.0 – Critical).
CVE-2024-0520: MLflow Arbitrary File Overwrite
This vulnerability exists in the MLflow, a tool for storing and tracking models in which an attacker can perform an arbitrary file overwrite due to the code used to pull down remote data storage. Users can be manipulated into using a malicious remote data source that will alternatively execute commands in the user’s context.
CVE-2023-6976 – MLflow Arbitrary File Overwrite
One of the MLflow functions that validate file path safety had a bypass vulnerability that would allow a threat actor to remotely overwrite files on the MLflow server, resulting in remote code execution. A threat actor can also overwrite the SSH keys on the system or edit the .bashrc file to execute arbitrary commands on the system when the next user logs in.
CVE-2023-6977 – MLflow Local File Include
In certain types of operating systems, the hosted MLflow can be manipulated into displaying sensitive file contents due to a file path safety bypass, which can also potentially lead to system takeover if the SSH keys or cloud keys were stored on the server with MLflow read permissions.
A complete report has been published, which provides detailed information about these vulnerabilities, potential exploitation, impact, and other information.
The post Critical AI Security Flaws Let Attackers Bypass Detection & Execute Remote Code appeared first on Cyber Security News.
Cyber Security News