HIGH Patch AvailableCVE-2023-31034

Path Traversal and Arbitrary File Read in NVIDIA Triton Inference Server

Discovered 19 February 2025 0 views

Overview

A path traversal vulnerability was discovered in the NVIDIA Triton Inference Server's model repository management functionality. The server exposes an API endpoint that allows clients to load and unload models from its configured model repository. An attacker with network access to this management API can send a specially crafted request to load or unload a model. By using directory traversal sequences (e.g., `..%2F` or `..\`) within the model name parameter of the API call, the attacker can break out of the intended model repository directory. This allows the attacker to navigate the server's filesystem and access arbitrary files. The impact of this vulnerability is the unauthorized disclosure of sensitive information. An attacker could read configuration files containing credentials, SSH keys, application source code, or other sensitive data stored on the server. This information could then be used to escalate privileges or pivot to other systems within the network. The vulnerability exists because the server fails to properly sanitize the user-provided model name before using it in filesystem operations.

Affected Systems

NVIDIA Triton Inference Server < 23.04

Testing Guide

1. **Check Server Version:** Determine the version of your running NVIDIA Triton Inference Server. If it is older than 23.04, it is likely vulnerable. 2. **Craft Malicious Request:** Use a tool like `curl` to send a request to the model control API endpoint. Attempt to load a model with a path traversal payload. Example: `curl -X POST localhost:8001/v2/repository/models/..%2F..%2F..%2F..%2Fetc%2Fpasswd/load` 3. **Analyze Response:** While this specific command may not work if a valid model config isn't present, a vulnerable server will attempt to access the path and return a file-system-related error message in its logs or response, confirming the traversal attempt was processed. A patched server will reject the request outright as an invalid model name.

Mitigation Steps

1. **Upgrade NVIDIA Triton:** Update the Triton Inference Server to version 23.04 or later, where the path traversal vulnerability has been patched. 2. **Restrict API Access:** Use a firewall or network security groups to restrict access to the Triton server's management port (typically 8001) to only trusted IP addresses and administrative networks. 3. **Run as Low-Privilege User:** Run the Triton server process as a dedicated, low-privilege user with minimal read permissions on the filesystem outside of its required directories. 4. **Use API Gateway:** Place an API gateway with path normalization and validation rules in front of the Triton server to inspect and block malicious requests containing traversal sequences.

Patch Details

Patched in NVIDIA Triton Inference Server version 23.04 and all subsequent releases.

Sources

← Back to vulnerabilities