In a recent revelation, cybersecurity experts from Oligo, an Israel-based runtime application security company, have exposed several critical security flaws within the TorchServe tool, a PyTorch model-serving and scaling application. Termed as ShellTorch, these vulnerabilities pose a substantial threat, allowing potential exploitation that could result in remote Code Execution on compromised systems.
Related Articles
Identified Weaknesses and Their Implications
The disclosed vulnerabilities, now addressed in version 0.8.2, encompass a range of issues, the most severe being:
Unauthenticated Management Interface API Misconfiguration (0.0.0.0)
Oligo uncovered a crucial misconfiguration in the unauthenticated Management Interface Api, potentially leaving countless services and users susceptible to unauthorized access and the insertion of malicious AI models. This flaw sets the stage for a full chain Remote Code Execution (RCE).
CVE-2023-43654 (CVSS score: 7.2) – Remote Server-Side Request Forgery (SSRF)
This flaw opens the door to remote code execution, posing a significant risk to affected systems.
CVE-2022-1471 (CVSS score: 9.9) – SnakeYAML Library Insecurity
Exploiting an insecure version of the SnakeYAML library, this vulnerability allows for unsafe deserialization of Java objects, thereby enabling potential malicious code execution.
Exploitation Scenario and Impacts
The exploitation of these vulnerabilities allows an attacker to upload a malicious model from a controlled address, leading to arbitrary code execution. In simpler terms, unauthorized access to the management server permits the uploading of a malicious model, enabling code execution without authentication on any default TorchServe server.
Of particular concern is the synergy between these flaws and CVE-2022-1471, creating a pathway for extensive code execution and complete takeover of exposed instances.
AWS Advisory and Urgent Action
The severity of these issues has prompted Amazon Web Services (AWS) to issue an advisory. Customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released before September 11, 2023, are strongly advised to update to TorchServe version 0.8.2 immediately.
Potential Ramifications and Data Compromise
The researchers emphasize the potential exploitation privileges granted by these vulnerabilities, highlighting the ability to view, modify, steal, and delete AI models and sensitive data within the compromised TorchServe server. The attackers, once exploiting the model-serving server, gain access to and control over sensitive data, significantly undermining the trust and credibility of the application.
