A trio of critical security issues were identified in TorchServe, an open source package for serving and scaling PyTorch models in production, that could lead to an attacker executing arbitrary codes on the affected systems.
Combinedly called ShellTorch, as coined by Oligo Security researchers who discovered them, the vulnerabilities can grant an attacker the privilege to view, modify, steal, and delete AI models and sensitive data on TorchServe server.
These vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. “These vulnerabilities can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world’s largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover.”
Two of the discovered vulnerabilities — CVE-2023-43654 and CVE-2023-1471 — carry CVSS scores of 9.8 and 9.9 respectively, while the third one doesn’t have a CVE entry yet.
Flaws allow remote code execution and server takeover
While serving models in production, TorchServe provisions fetching configuration files for the models from a remote URL using the workflow or model registration API. In one of the vulnerabilities (CVE-2023-43654), it was found that the API logic for an allowed list of domains accepts all domains as valid URLs, resulting in a server-side-request-forgery (SSRF).
“This allows an attacker to upload a malicious model that will be executed by the server, which results in arbitrary code execution,” Oligo Security said.