ShellTorch vulnerabilities chain exposes tens of thousands of servers to remote code execution and data exfiltration.
Researchers revealed that the TorchServe flaws (including CVE-2023-43654, CVSS: 9.8) can expose sensitive data, compromise AI models, and run a full server takeover.
TorchServe is a famous open-source tool for serving and scaling PyTorch models in production. Organizations involved in AI model training and development, like Amazon, OpenAI, Tesla, Azure, Google, and Intel, are some of the tool`s users.
ShellTorch Vulnerabilities Explained
The vulnerability series includes three flaws, which the researchers collectively named ShellTorch. The flaws are:
- An unauthenticated management interface API misconfiguration – This vulnerability lets the web panel to be bound to the IP address 0.0.0.0 by default, thus exposing it to external requests. Since the interface requires no authentication, there is no access restriction. This means that random users can use it to upload malicious models from an external address.
- CVE-2023-43654 (CVSS score: 7.2) – The issue is a remote server-side request forgery (SSRF). When exploited as part of the vulnerability chain, it can enable remote code execution (RCE). Researchers revealed that all domains were accepted by default, which resulted in a Server-Side Request Forgery (SSRF) vulnerability. The issue enables attackers to upload malicious models that trigger arbitrary code.
- CVE-2022-1471 (CVSS score: 9.9) – This flaw is a Java deserialization issue that results in remote code execution (RCE). Insecure deserialization in the SnakeYAML library permits threat actors to upload a model with a malicious YAML file. Further on, it can trigger remote code execution.
When exploited together, the ShellTorch vulnerabilities grant threat actors:
- unauthorized access to PyTorch models,
- the possibility to insert malicious AI models,
- the chance to leak confidential information.
Who Is at Risk?
Organizations that use TorchServe versions 0.3.0 through 0.8.1. are vulnerable to ShellTorch.
While scanning the Internet for vulnerable deployments, researchers found tens of thousands of IP addresses exposed to ShellTorch attacks. In order to find out if your organization is vulnerable, researchers advise using this free tool.
How to Stay Safe from ShellTorch
Users are urged to upgrade to TorchServe 0.8.2, the latest version which PyTorch released in August 28, 2023. The update displays a warning about the server-side request forgery vulnerability (CVE-2023-43654).
Other recommended safety measures, apart from patching, are:
- Reconfigure the management console by setting the management_address to http://127.0.0.1:8081 in the config.properties file. This way TorchServe will only bind to the localhost, not every IP address configured on the server.
- Update the allowed_urls in the config.properties file, to make sure your server only accepts models from trusted domains.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.