Major companies worldwide could have their AI infrastructure severely compromised due to critical vulnerabilities in TorchServe, a tool in the PyTorch machine learning framework. Oligo, a firm specializing in application security and observability, discovered these flaws and has termed the potential attack as 'ShellTorch'. TorchServe, an open-source package with over 30,000 PyPi downloads per month and more than one million DockerHub pulls, is utilized by companies such as Amazon, Google, Intel, Microsoft, Tesla, and Walmart.
Oligo found that TorchServe is affected by three vulnerabilities, two of which are rated as 'critical severity'. The vulnerabilities are identified under the identifier CVE-2023-43654. One of the vulnerabilities is a default misconfiguration that leaves the TorchServe management interface exposed to remote access without authentication. The other two can be exploited for remote code execution, through server-side request forgery (SSRF) and unsafe deserialization.
Oligo's IP scanner identified tens of thousands of potentially vulnerable instances, including many belonging to Fortune 500 companies. The firm warned, “These vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses.” The firm further explained that an attacker could exploit these vulnerabilities to gain initial access, execute malicious code on the targeted PyTorch server, and then move laterally within the network to even more sensitive systems.
Oligo further noted that using ShellTorch, attackers could already be at the heart of the AI infrastructure, allowing them to leverage TorchServe's high privileges to view, modify, steal, and delete AI models, which often contain a business’s core IP. The firm added, “Making these vulnerabilities even more dangerous: when an attacker exploits the model serving server, they can access and alter sensitive data flowing in and out from the target TorchServe server, harming the trust and credibility of the application.”
AWS has issued an advisory informing customers that versions 0.3.0 through 0.8.1 are impacted and 0.8.2 patches some of the flaws. Oligo also reported that Meta has taken steps to address the default misconfiguration that left servers exposed.