Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.
The vulnerability lies in the `ElasticRendezvousHandler` class, a subclass of `KVStoreHandler`. The `_put_value` method decodes data from base64 format via `codec.loads_base64(value)`, then calls `cloudpickle.loads(decoded)` on the obtained data. The `cloudpickle` library performs deserialization without any content validation, meaning an attacker can send a malicious pickle object in an HTTP PUT request. As a result of deserialization, the server executes arbitrary code contained in the crafted payload.
An unauthenticated remote attacker can execute arbitrary code on the server (RCE), which in practice means complete machine takeover, data theft, backdoor installation, or further lateral movement in the infrastructure.
Apply patches available from the vendor according to references. It is also recommended to restrict network access to ElasticRendezvous endpoints only to trusted hosts (e.g., using firewall or network rules) as a temporary measure until updates are applied.
Horovod in all versions up to and including v0.28.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHorovod
APPHorovod≤ 0.28.1