| --- |
| license: mit |
| tags: |
| - security |
| - vulnerability-report |
| --- |
| |
| # Vulnerability Report: Unauthenticated RCE in TensorRT-LLM (MGMN Leader Node) |
|
|
| ## Summary |
| I have identified a Critical Remote Code Execution (RCE) vulnerability in the TensorRT-LLM Multi-GPU Multi-Node (MGMN) launcher. The vulnerability exists in the `mgmn_leader_node.py` script, which initializes an IPC server without enforcing HMAC authentication. Combined with insecure environment variable handling, this allows a local or network attacker to force the server to bind to an external interface and execute arbitrary code. |
|
|
| ## Vulnerability Details |
| **Component:** `tensorrt_llm/llmapi/mgmn_leader_node.py` and `tensorrt_llm/llmapi/mpi_session.py` |
|
|
| **Root Cause:** |
| 1. **Insecure Default Initialization:** |
| In `tensorrt_llm/llmapi/mgmn_leader_node.py`, the `RemoteMpiCommSessionServer` is initialized without passing an `hmac_key`. |
| |
| ```python |
| # mgmn_leader_node.py |
| server = RemoteMpiCommSessionServer( |
| comm=sub_comm, |
| n_workers=num_ranks, |
| addr=get_spawn_proxy_process_ipc_addr_env(), |
| is_comm=True) # MISSING hmac_key |
| Security Fallback Failure: In tensorrt_llm/llmapi/mpi_session.py, the __init__ method sets use_hmac_encryption to False if no key is provided. |
| |
| Python |
| |
| # mpi_session.py |
| self.queue = ZeroMqQueue(..., use_hmac_encryption=bool(hmac_key)) |
| This disables the signature check on the IPC socket, allowing unauthenticated pickle.loads deserialization. |
| |
| Insecure Environment Variable Handling: The bind address is derived from TLLM_SPAWN_PROXY_PROCESS_IPC_ADDR (in utils.py), which can be controlled by any user on the system before the service starts. |
| |
| Attack Scenario |
| An attacker sets the environment variable: export TLLM_SPAWN_PROXY_PROCESS_IPC_ADDR="tcp://0.0.0.0:4444" |
| |
| The victim (or automated orchestration system) executes mgmn_leader_node.py. |
| |
| The server binds to port 4444 on all interfaces with HMAC Encryption Disabled. |
| |
| The attacker connects to port 4444 and sends a malicious Pickle payload containing shell commands (e.g., reverse shell). |
| |
| The ZeroMqQueue class deserializes the payload without verification, executing the attacker's code with the privileges of the TensorRT-LLM process. |
| |
| Impact |
| This vulnerability allows for Arbitrary Code Execution (ACE). In shared cluster environments (e.g., Slurm/Kubernetes), this allows a low-privileged user to escalate privileges or move laterally to other nodes running TensorRT-LLM. |
