Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems.
Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch.
โThese vulnerabilities [โฆ] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users โ including some of the worldโs largest companies โ open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover,โ security researchers Idan Levcovich, Guy Kaplan, and Gal Elbaz said.
The list of flaws, which have been addressed in version 0.8.2, is as follows -
Successful exploitation of the aforementioned flaws could allow an attacker to send a request to upload a malicious model from an actor-controlled address, leading to arbitrary code execution.
Put in other words, an attacker who can remotely access the management server can also upload a malicious model, which enables code execution without requiring any authentication on any default TorchServe server.
Even more troublingly, the shortcomings could be chained with CVE-2022-1471 to pave the way for code execution and full takeover of exposed instances.
โAI models can include a YAML file to declare their desired configuration, so by uploading a model with a maliciously crafted YAML file, we were able to trigger an unsafe deserialization attack that resulted in code execution on the machine,โ the researchers said.
Amazon Web Services (AWS) issued an advisory recommending customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, to update to TorchServe version 0.8.2.
โUsing the privileges granted by these vulnerabilities, it is possible to view, modify, steal, and delete AI models and sensitive data flowing into and from the target TorchServe server,โ the researchers said.
โMaking these vulnerabilities even more dangerous: when an attacker exploits the model serving server, they can access and alter sensitive data flowing in and out from the target TorchServe server, harming the trust and credibility of the application.โ
Found this article interesting? Follow us on Twitter ๏ and LinkedIn to read more exclusive content we post.