Compliance Impact

The vulnerability in OpenMed before version 1.5.2 allows unauthenticated remote code execution via the PII privacy-filter model loading path. This flaw could lead to unauthorized access and execution of arbitrary code with the privileges of the OpenMed service process.

Since OpenMed handles Personally Identifiable Information (PII) and is used in healthcare AI contexts, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive personal data.

Such a compromise would negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and health information from unauthorized access and breaches.

Therefore, this vulnerability poses a significant risk to regulatory compliance by potentially enabling data breaches and unauthorized data manipulation.

Useful 0 Not Useful 0

Executive Summary

OpenMed versions before 1.5.2 contain a critical remote code execution vulnerability in the PII privacy-filter model loading path.

The vulnerability arises because the privacy-filter dispatcher uses broad substring matching on the user-supplied model_name parameter. This allows an attacker to craft a malicious model name, such as attacker/foo-privacy-filter-bar, which bypasses restrictions and causes the system to load a Hugging Face model with trust_remote_code=True enabled.

An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json. This code is then imported and executed with the privileges of the OpenMed service process, enabling arbitrary code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the system running OpenMed with the same privileges as the OpenMed service process.

Such remote code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of service, and potential further exploitation within the affected environment.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your OpenMed installation is running a version prior to 1.5.2 and if it processes model names with broad substring matching that could allow malicious model names containing "privacy-filter" to load untrusted code.

You can check the OpenMed version installed by running a command like:

• openmed --version

To detect suspicious activity or exploitation attempts, monitor logs or network traffic for requests containing unusual model_name parameters resembling attacker/foo-privacy-filter-bar or other unexpected model names containing "privacy-filter".

For example, you can search OpenMed service logs for such patterns using commands like:

• grep -i 'privacy-filter' /var/log/openmed/*.log
• grep -E 'attacker/.+-privacy-filter-.+' /var/log/openmed/*.log

Additionally, network monitoring tools can be used to detect HTTP requests with suspicious model_name parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade OpenMed to version 1.5.2 or later, which includes security hardening to prevent this remote code execution vulnerability.

Version 1.5.2 introduces an explicit allowlist for trusted privacy-filter models, disables trust_remote_code by default, and restricts model name routing to prevent arbitrary model names from loading untrusted code.

If upgrading immediately is not possible, consider restricting access to the OpenMed service to trusted users only and monitor for suspicious model_name parameters containing "privacy-filter".

Operators can also configure the environment variable OPENMED_TRUSTED_REMOTE_CODE_MODELS to explicitly allow trusted custom or private fine-tuned models, reducing risk.

Useful 0 Not Useful 0