Critical vulnerabilities, collectively named ShellTorch, have been found in the TorchServe tool used for serving and scaling PyTorch models. These flaws, discovered by cybersecurity researchers from the Israel-based company Oligo, could potentially lead to remote code execution (RCE) on affected systems.
The researchers, Idan Levcovich, Guy Kaplan, and Gal Elbaz, noted that these vulnerabilities could result in "a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover."
The vulnerabilities have been addressed in TorchServe version 0.8.2. If exploited successfully, these flaws could enable an attacker to send a request to upload a malicious model from an actor-controlled address, leading to arbitrary code execution. In simpler terms, an attacker with remote access to the management server could upload a malicious model, enabling code execution without any authentication on any default TorchServe server.
Further exacerbating the issue, these flaws could be combined with CVE-2022-1471 to facilitate code execution and full takeover of exposed instances. According to the researchers, "AI models can include a YAML file to declare their desired configuration, so by uploading a model with a maliciously crafted YAML file, we were able to trigger an unsafe deserialization attack that resulted in code execution on the machine."
Amazon Web Services (AWS) has issued an advisory in response to the severity of these issues, urging customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released before September 11, 2023, to update to TorchServe version 0.8.2.
The researchers further warned that an attacker exploiting these vulnerabilities could potentially view, modify, steal, and delete AI models and sensitive data flowing into and from the target TorchServe server. They stressed the danger of these vulnerabilities, stating, "when an attacker exploits the model serving server, they can access and alter sensitive data flowing in and out from the target TorchServe server, harming the trust and credibility of the application."