AI servers vulnerable to code execution via TorchServe vulnerabilities
Take action: If you are using TorchServe, spend some time today to reconfigure the system to listen to local addresses and to update the configuration for allowed urls. After that, start planning a patch. If you are using TorchServe on AWS tools, read the details on AWS.
Learn More
A set of critical vulnerabilities known as "ShellTorch" has been discovered in TorchServe, an open-source AI model-serving tool maintained by Meta and Amazon. These vulnerabilities impact tens of thousands of internet-exposed servers, including those belonging to major organizations. TorchServe is a popular tool used to serve and scale PyTorch machine learning models in production, utilized by academic researchers and large firms like Amazon, OpenAI, Tesla, Azure, Google, and Intel.
The ShellTorch vulnerabilities, tracked as CVE-2023-43654 and CVE-2022-1471, and a misconfiguration issue, affect TorchServe versions 0.3.0 through 0.8.1.
- The first flaw - a misconfiguration issue - involves an unauthenticated management interface API misconfiguration, where the web panel is incorrectly bound to the IP address 0.0.0.0 by default instead of localhost, making it susceptible to external requests. This lack of authentication allows unrestricted access, enabling users to upload malicious models from external addresses.
- CVE-2023-43654, is a remote server-side request forgery (SSRF) leading to remote code execution (RCE). TorchServe's API had a flaw where all domains were accepted by default instead of following an allowed list, leading to the SSRF vulnerability. Attackers could upload malicious models triggering arbitrary code execution when launched on the target server.
- CVE-2022-1471, involves a Java deserialization problem leading to remote code execution due to insecure deserialization in the SnakeYAML library. Attackers could upload a model with a malicious YAML file to trigger remote code execution.
Exploiting these vulnerabilities in combination could compromise a system running vulnerable versions of TorchServe, potentially allowing unauthorized access and malicious model uploads. Oligo Security research team discovered these vulnerabilities and noted that tens of thousands of IP addresses are currently exposed to ShellTorch attacks.
Users are advised to upgrade to TorchServe 0.8.2 and properly configure the management console by setting the management_address to http://127.0.0.1:8081 in the config.properties file. Additionally, it's crucial to update the allowed_urls in the config.properties file to ensure that the server fetches models only from trusted domains. Amazon has also issued a security advisory urging users to update to the latest TorchServe version and has provided mitigation guidance.
