Press ReleaseCyber SafetyDevice & IoTThreat Detection & Defense

Synopsys: Data Poisoning Vulnerabilities Found in EmbedAI Application

Photo of CSA Editorial CSA Editorial Send an email June 6, 2024
1 minute read

The Synopsys Cybersecurity Research Center (CyRC) has exposed a Data Poisoning vulnerability in the EmbedAI Application. EmbedAI allows users to interact with documents by utilising the capabilities of large language models (LLM).

The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorised entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness.

Exploitation
An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.

Affected Software

  • EmbedAI “main” branch

Impact
The exploitation of this vulnerability affects the immediate functioning of the model and can have long-lasting effects on its credibility and the security of the systems that rely on it. This can manifest in various ways, including the spread of misinformation, introduction of biases, degradation of performance, and potential for denial-of-service attacks.

  • CVSS Base Score: 7.3 (High)

  • CVSS 3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Remediation
The CyRC reached out to the developers but has not received a response within the 90-day timeline dictated by our responsible disclosure policy. The CyRC recommends removing the applications from networks immediately.

Discovery credit
This vulnerability was discovered by Mohammed Alshehr, security researcher at Synopsys Software Integrity Group.

Timeline 

  • February 26, 2024: Initial contact attempt

  • April 4, 2024: Second contact attempt

  • May 1, 2024: Final contact attempt

  • May 3, 2024: Synopsys confirms disclosure to SamurAI

  • May 29, 2024: Advisory published by Synopsys

References
Head over to this link.

Tags
Photo of CSA Editorial CSA Editorial Send an email June 6, 2024
1 minute read
Photo of CSA Editorial

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

81% of Malaysians Have Adopted Digital Cards for Convenience and Security, states IDEMIA Secure Transactions Global Study

October 4, 2024

Infoblox Unveils Game-Changing Universal DDI™ Product Suite to Help NetOps, SecOps, and CloudOps Work Better Together

October 4, 2024

The Costs of Cyber Attacks: How One Breach Can Sink Your Business

October 4, 2024

Building Digital Trust in Malaysia: Essential Steps Every Organisation Should Take

October 4, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

(c) Asia Online Publishing Group 2024 - Media and PR enquiries - editor@aopg.net