Executive Summary
Tens of thousands of internet-exposed servers, including those belonging to large organizations, are affected by a series of critical vulnerabilities known as ‘ShellTorch’ in the TorchServe AI model-serving tool.
These vulnerabilities allow access to proprietary AI models, insertion of malicious models, and leakage of sensitive data, potentially leading to code execution attacks and server takeovers.
To mitigate these risks, it is recommended to upgrade to TorchServe 0.8.2, configure the management console properly, and ensure models are fetched only from trusted domains.
About TorchServe
TorchServe is a powerful tool for serving PyTorch models in production. It provides developers with a flexible and efficient way to deploy their models at scale.
PyTorch is a machine learning framework based on the Torch library, used for applications such as computer vision and natural language processing.
TorchServe is built and maintained by AWS in collaboration with Facebook and is available as part of the PyTorch open-source project.
About ShellTorch Vulnerabilities
ShellTorch is a set of critical vulnerabilities that impact TorchServe versions 0.3.0 through 0.8.1. These vulnerabilities pose significant risks to servers using the TorchServe AI model-serving tool.
- Unauthenticated Management Interface API Misconfiguration
- CVE-ID: CVE-2023-43654
- Impact: Unrestricted access and upload of malicious models
- CVSS: 9.8
- This vulnerability arises from an API misconfiguration in the management interface, allowing any user unrestricted access. Attackers can exploit this flaw to upload malicious models.
- Remote Server-Side Request Forgery (SSRF)
- CVE-ID: Not specified
- Impact: Remote code execution
- CVSS: Not specified
- TorchServe’s API has a flaw that accepts requests from any domain, leading to an SSRF vulnerability. Attackers can upload malicious models triggering arbitrary code execution on the target server.
- Java Deserialization Vulnerability
- CVE-ID: CVE-2022-1471
- Impact: Remote code execution
- CVSS: 9.8
- This vulnerability is due to insecure deserialization in the SnakeYAML library. Attackers can upload a model with a malicious YAML file, leading to remote code execution.
These vulnerabilities expose servers running vulnerable versions of TorchServe to potential code execution attacks and server takeovers.
Recommendations
It is crucial to address these vulnerabilities promptly by upgrading to TorchServe 0.8.2, which includes a warning about the SSRF issue.
Additionally, proper configuration of the management console and allowing models only from trusted domains can enhance security.
Amazon has published a security bulletin with mitigation guidance for customers using Deep Learning Containers (DLC) in EC2, EKS, or ECS.
Oligo has also released a free checker tool to check for vulnerability to ShellTorch attacks.
- Europe’s A.I. ‘Champion’: Meet Mistral AI
- Open-Source Organizations Collaborate to Strengthen Digital Supply Chain
- [CVSS 10] Palo Alto Backdoor Zero-Day Patch
- Joint NSA-CISA Advisory on Top Misconfigurations
- NSA Issues Strategic Insights for Cloud Security
- [CVSS 8+] Microsoft Sep 23 Patch Tuesday Highlights