Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

A vulnerability in the Google Cloud Vertex AI SDK for Python allowed attackers to hijack machine learning model uploads and execute code within Google's serving infrastructure, according to Palo Alto Networks Unit 42. The security researchers discovered this flaw and reported it via Google's bug bounty program. They have named the attack method "Pickle in the Middle." This exploit could enable an attacker, without prior access to a victim's Google Cloud project, to intercept and manipulate model uploads. Unit 42 stated they have not observed any instances of this vulnerability being exploited in the wild. The issue stems from how the SDK handles serialized Python objects, specifically the "pickle" protocol, which can be manipulated to execute arbitrary code when deserialized. Attackers could potentially replace legitimate model files with malicious ones during the upload process, leading to the execution of their own code on Google's servers. This discovery highlights potential security risks in the supply chain of machine learning model deployment, even within cloud environments.