A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.
Feast version 0.53.0 is vulnerable to a critical remote code execution (RCE) flaw, allowing attackers to execute arbitrary commands on the Kubernetes worker pods. Exploiting this vulnerability, attackers can achieve cluster takeover, compromise data integrity, and potentially disrupt the supply chain. This is due to insecure deserialization of YAML configuration files.
Step 1: Payload Delivery: The attacker crafts a malicious YAML file, feature_store.yaml or materialization_config.yaml, containing Python code designed to execute OS commands. This YAML file is specifically crafted to leverage the yaml.load function's ability to instantiate arbitrary Python objects.
Step 2: File Upload/Modification: The attacker uploads or modifies the crafted YAML file to a location accessible to the Feast Kubernetes materializer job, typically /var/feast/.
Step 3: Configuration Loading: The Feast materializer job, running within a Kubernetes pod, loads and deserializes the malicious YAML file using yaml.load(..., Loader=yaml.Loader).
Step 4: Code Execution: During deserialization, the Python code embedded within the YAML file is executed, leading to the execution of attacker-specified OS commands on the worker pod. This could involve creating reverse shells, downloading malware, or modifying data.
Step 5: Privilege Escalation (Potential): Depending on the permissions of the worker pod, the attacker may be able to escalate privileges within the Kubernetes cluster, potentially leading to a complete cluster takeover.
The vulnerability stems from the insecure use of yaml.load(..., Loader=yaml.Loader) in feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py to parse feature_store.yaml and materialization_config.yaml. This function, without proper input validation, allows for the instantiation of arbitrary Python objects during YAML deserialization. An attacker can craft a malicious YAML file containing Python code that executes OS commands, such as os.system() or subprocess.run(). The lack of input sanitization and validation before the configuration is loaded allows for the execution of this malicious code. The root cause is the unsafe deserialization of user-controlled YAML data, leading to code injection and ultimately, remote code execution. The use of yaml.Loader is inherently insecure when handling untrusted input.