skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
January 12, 2024

GHSL-2023-260: Remote command execution (RCE) in Intel Analytics’ BigDL-LLM

Jorge Rosillo

Coordinated Disclosure Timeline


Intel Analytics’ BigDL-LLM is a library for running LLM (large language model) on Intel XPU (from Laptop to GPU to Cloud). The finetune server exposes an endpoint allowing attackers to potentially execute malicious commands on developer machines.



Tested Version

BigDL release 2.4.0


Command injection in through /attest (GHSL-2023-260)

The BigDL-AA Agent exposes an /attest endpoint, which allows for executing a command containing an arbitrary string.

@app.route('/attest', methods=['POST'])
def get_cluster_quote_list():
    data = request.get_json()
    user_report_data = data.get('user_report_data')
    quote_list = []

        quote_b = quote_generator.generate_tdx_quote(user_report_data)
        quote = base64.b64encode(quote_b).decode("utf-8")
        quote_list.append(("launcher", quote))
    except Exception as e:
        quote_list.append("launcher", "quote generation failed: %s" % (e))

    command = "sudo -u mpiuser -E bash /ppml/ %s" % (user_report_data)
    output = subprocess.check_output(command, shell=True)

Even when providing an invalid value, given that the try block doesn’t raise an exception when caught, the user-controlled contents user_report_data flow directly to the command in question, which, using shell=True, allows for shell expansion.

This issue was found with CodeQL for Python’s Uncontrolled command line query.


This issue may lead to Remote Command Execution

Proof of Concept

This way, an attacker is allowed to execute commands as the user running the server.

$ cat /tmp/info

The exploitation of this vulnerability requires a valid payload for generate_tdx_quote or a syntax error fix as follows: ```diff diff –git a/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/ b/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/ index d848fd658..9d3090536 100644 — a/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/ +++ b/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/ @@ -30,7 +30,7 @@ def get_cluster_quote_list(): quote = base64.b64encode(quote_b).decode(“utf-8”) quote_list.append((“launcher”, quote)) except Exception as e:

  • quote_list.append(“launcher”, “quote generation failed: %s” % (e))
  • quote_list.append((“launcher”, “quote generation failed: %s” % (e)))
 command = "sudo -u mpiuser -E bash /ppml/ %s" % (user_report_data)
 output = subprocess.check_output(command, shell=True) ```


This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2023-260 in any communication regarding this issue.