A critical security flaw has been discovered in TorchServe, an open source package used for serving and scaling PyTorch models in production. The vulnerability, collectively known as ShellTorch, allows an attacker to execute arbitrary code on affected systems. Oligo Security researchers who uncovered the flaw have warned that it can potentially compromise the AI infrastructure of major businesses.
ShellTorch grants attackers the privilege to view, modify, steal, and delete AI models and sensitive data on the TorchServe server. Oligo Security stated that these vulnerabilities could lead to a full chain Remote Code Execution (RCE), which would leave numerous services and end-users vulnerable to unauthorized access and insertion of malicious AI models. In the worst-case scenario, it could result in a full server takeover.
Out of the three vulnerabilities identified, two have been assigned Common Vulnerabilities and Exposures (CVE) numbers. CVE-2023-43654 and CVE-2023-1471 hold CVSS scores of 9.8 and 9.9 respectively. However, the third vulnerability is yet to receive a CVE entry.
The flaw stems from the way TorchServe fetches configuration files for models from a remote URL using the workflow or model registration API during production. The flaw in question (CVE-2023-43654) revolves around the API logic for an allowed list of domains, which was found to accept all domains as valid URLs. This leads to a server-side request forgery (SSRF) vulnerability.
Essentially, an attacker can upload a malicious model that the server will execute, resulting in arbitrary code execution. This flaw allows attackers to exploit the system and potentially carry out unauthorized actions detrimental to the AI infrastructure.
Oligo Security has highlighted the severity of these vulnerabilities by emphasizing that they can completely compromise the AI infrastructure of some of the largest companies in the world. With remote code execution and the ability to take over servers, attackers could gain unrestricted access to important AI models and sensitive data.
TorchServe is widely used in the deployment of PyTorch models in a production environment. The open-source package provides valuable utility and scalability for businesses leveraging PyTorch models. However, the discovery of these critical vulnerabilities has raised concerns about the security of AI infrastructure and the potential dangers of exploiting such flaws.
Oligo Security researchers demonstrated the importance of promptly addressing these vulnerabilities to prevent potential attacks. It is crucial for businesses and organizations to update their TorchServe installations to the latest version that includes the necessary security patches. Additionally, implementing proper security measures, such as network segmentation and access controls, can help mitigate the risks associated with these vulnerabilities.
The severity of these vulnerabilities serves as a reminder of the evolving threat landscape surrounding AI technologies. As AI continues to play a crucial role in various industries, securing AI infrastructure becomes paramount. To stay ahead of potential attacks, organizations must prioritize regular security assessments, vulnerability management, and timely patching to address any discovered flaws.
With the emergence of ShellTorch, the TorchServe community and users must work together to address these vulnerabilities and ensure the reliability and security of their AI systems. It is essential to foster collaboration between security researchers, developers, and users to identify and mitigate potential threats to critical AI infrastructure. By doing so, businesses can continue to leverage the benefits of AI while maintaining a strong security posture.