A Critical ‘ShellTorch’ security flaws found in widely-used open-source TorchServe AI model-serving tool. These vulnerabilities pose a significant threat to numerous internet-exposed servers, including those operated by prominent organizations.
TorchServe, a project jointly maintained by Meta and Amazon, plays a pivotal role in deploying and scaling PyTorch machine learning models for real-world applications. This versatile library caters to a diverse user base, ranging from academic researchers to major industry players such as Amazon, OpenAI, Tesla, Azure, Google, and Intel.
The ShellTorch vulnerability
The Oligo Security research team has uncovered three vulnerabilities, called ShellTorch, impacting TorchServe versions 0.3.0 through 0.8.1. These vulnerabilities present serious security risks.
The first vulnerability arises from an unauthenticated management interface API misconfiguration. By default, the web panel binds to the IP address 0.0.0.0 instead of localhost, exposing it to external requests. Lacking authentication, it permits unrestricted access, risking malicious uploads of models from external sources.
The second vulnerability, tracked as CVE-2023-43654, is a remote server-side request forgery (SSRF) issue that can lead to remote code execution (RCE). TorchServe’s API was designed to only allow specific domains for fetching model configuration files from remote URLs. However, it was discovered that, by default, all domains were accepted, leading to an SSRF vulnerability. This flaw empowers attackers to upload malicious models that, when executed on the target server, trigger arbitrary code execution.
The third vulnerability, identified as CVE-2022-1471, relates to a Java deserialization problem that also results in remote code execution. Attackers can exploit this vulnerability by uploading a model containing a malicious YAML file, which triggers remote code execution.
When combined, these three vulnerabilities offer attackers a potent means of compromising systems running vulnerable versions of TorchServe.
Oligo’s research findings indicate that numerous IP addresses exposed to ShellTorch attacks have been discovered through web scanning, with some belonging to sizable organizations with a global presence. An attacker who successfully breaches an organization’s network via a PyTorch server could use it as a foothold for launching more extensive attacks, particularly when robust security measures are lacking.
To address these vulnerabilities, users are strongly encouraged to upgrade to TorchServe version 0.8.2. However, it’s important to note that this update does not fully mitigate CVE-2023-43654 but does provide a warning regarding the SSRF issue. Furthermore, users should correctly configure the management console by setting the ‘management_address’ to http://127.0.0.1:8081 in the config.properties file. This ensures TorchServe binds exclusively to the localhost, rather than all IP addresses on the server. Finally, users should restrict model fetching to trusted domains by updating the ‘allowed_urls’ in the config.properties file.
Amazon has also issued a security bulletin pertaining to CVE-2023-43654, offering mitigation guidance for customers employing Deep Learning Containers (DLC) within EC2, EKS, or ECS environments.
Oligo offers a free tool to assess instances for ShellTorch vulnerability, aiding administrators in protecting their systems