Newly identified critical vulnerabilities in the machine learning framework TorchServe pose a significant threat to artificial intelligence (AI) applications. These vulnerabilities, collectively termed 'ShellTorch', expose AI applications to the same risks as other applications from open source bugs.
Companies like Amazon, Google, Microsoft Azure, and Walmart that utilize TorchServe are vulnerable to these flaws. TorchServe is an open-source framework maintained by Amazon and Meta, used for deploying deep-learning models based on the PyTorch open-source machine learning library.
If exploited, these vulnerabilities could enable threat actors to access proprietary data in AI models, introduce malicious models into production environments, alter machine learning model results, and gain complete control over servers. Thousands of instances of this software are publicly exposed on the internet, making them susceptible to unauthorized access and other malicious actions.
The vulnerabilities were discovered by researchers at Oligo, who found tens of thousands of IP addresses completely exposed to the attack, including many belonging to Fortune 500 organizations. All versions of TorchServe from 0.8.1 and earlier are vulnerable. However, these flaws have been addressed in TorchServe version 0.8.2.
Oligo has named these vulnerabilities 'ShellTorch'. Two of them, CVE-2023-43654 and CVE-2022-1471, are rated as critical. CVE-2023-43654 is a server-side request forgery (SSRF) vulnerability that enables remote code execution (RCE), and CVE-2022-1471 is a Java deserialization RCE. The third ShellTorch vulnerability arises from TorchServe's default exposure of a crucial management API to the internet.
This misconfiguration is present in Amazon’s and Google’s proprietary Docker images by default and is present in self-managed services of the largest providers of machine learning services. The management interface can be accessed without any authentication, making it a significant risk.
One of the attack vectors is related to CVE-2023-43564, an SSRF flaw that allows an attacker to upload a malicious model into a production environment, resulting in arbitrary code execution. CVE-2022-1471 is an RCE vulnerability in SnakeYaml, a widely used open-source library that TorchServe implements. By uploading an ML model with a malicious YAML file, an attack that results in RCE on the underlying server can be triggered.
These vulnerabilities demonstrate that AI applications are exposed to the same risks as all other applications from open source code. However, the potential consequences are even greater with AI due to the extensive use of large language models and other AI technologies. Vulnerabilities like ShellTorch provide attackers with a means to corrupt AI models, generate misleading answers, and create further disruptions.