Critical vulnerability in NumPy could allow attackers to perform Remote Code Execution

• The current version of NumPy’s unsafe default usage of a Python module could result in remote code execution.
• This issue affects NumPy versions 1.10 and later.

NumPy is a library for the Python programming used in scientific computing. The current version of NumPy relies on insecure default usage of a Python module that could lead to remote code execution. This bug affects NumPy versions 1.10 and later. The popular library is working to deliver a fix to the bug.

A security researcher Sherwel Nan reported the bug (CVE-2019-6446) on January 16, 2019. Nan stated that if a Python application loads malicious data via the 'numpy.load' function, an attacker could obtain remote code execution on the machine.

The bug CVE-2019-6446 is marked as critical, with a severity score of 9.8 as per the Common Vulnerability Scoring System (CVSS) version 3.

Pickle Module

The problem is with the 'pickle' module, which is used for transforming Python object structures into a format that can be stored on disk or in databases, or that allows delivery across a network.

Loading pickled object arrays in npy files are allowed by default, however, loading pickled data can execute arbitrary code. Loading object arrays will no longer be possible if pickles are disallowed,

The 'allow_pickle' parameter was introduced in NumPy 1.10 version and the development team of NumPy is now working on a fix.

“When using the 'numpy.load' function with the 'allow_pickle' parameter users should default its value to 'False' if they are not sure if the data is safe,” Nan told BleepingComputer.

The maintainers of NumPy also suggested to change the default value for the 'allow_pickle' parameter to 'False' in NumPy 1.17 version and display a warning when importing datasets from the internet, so that users can allow the action only if they trust the data.

Linux-based distributions

NumPy is typically available from the official package repositories of Linux-based distributions. SUSE security engineer Alexandros Toptsoglou stated that the issue impacts SUSE Linux Enterprise 15 and the SUSE Linux Enterprise 12 Service Pack 2.

NumPy is available for various Linux-based distributions via the RPM Package Manager. The maintainers of the NumPy RPM package are open to adding a security alert in the near future so that it is present in Numpy version 1.17 if concerns are high enough to warrant such a move.

“If someone is extremely concerned, we could discuss backporting it or moving quicker, but that would depend a lot on whether or not downstream depends on it,” Sebastian Berger said.