ShellTorch Flaw Exposes Thousands of AI Servers to RCE Attacks

ShellTorch Serve is an open-source model-serving library developed by PyTorch that simplifies the deployment of machine learning models for inference in production environments. 

It provides a scalable and efficient way to serve PyTorch models, making integrating them into applications and services easier.

The Oligo Security team found critical vulnerabilities, including CVE-2023-43654, enabling full chain RCE (Remote Code Execution). 

Thousands of exposed instances, even in major organizations, risk the following things:-

• Unauthorized access
• Malicious AI model insertion
• Complete server takeover

AI models are now essential for critical tasks, from safety to security, but they also demand trust with sensitive data, impacting global conflicts and crucial decisions.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

PyTorch

PyTorch, a leading ML framework, stands at the intersection of AI and open-source libraries. In late 2022, attackers exploited dependency confusion to compromise PyTorch, introducing malicious code.

TorchServe, an influential PyTorch model-serving framework backed by Meta and Amazon, boasts widespread adoption in research and industry, including giants like-

• Walmart
• Tesla
• Google

It’s central to various projects and available as a managed service on major cloud platforms.

Experts found tens of thousands of exposed IP addresses, including Fortune 500 companies, vulnerable to Oligo’s discovered flaws in TorchServe versions before 0.8.2, enabling:- 

• Remote code execution
• Server takeover
• Data theft

Exploiting ShellTorch CVE-2023-43654 allows an attacker to gain server control through API misconfigurations, SSRF vulnerabilities, and unsafe deserialization, potentially compromising AI models and sensitive data.

Vulnerabilities

There are three vulnerabilities, and we have mentioned them:-

• Unauthenticated Management Interface API Misconfiguration
• Remote Server-Side Request Forgery that Leads to RCE – CVE-2023-43654 (NVD, CVSS: 9.8)
• Java Deserialization RCE – CVE-2022-1471 (GHSA, CVSS: 9.9)

Security Risks in AI

2023, “The Year of AI,” sees rapid innovation and fierce competition. Open-source tools drive AI growth but introduce significant security risks, challenging the balance between innovation and vulnerability in a hypergrowing AI industry.

Oligo’s discovered vulnerabilities illustrate real-world risks in the recent OWASP Top 10 for LLM Applications, including:-

• Supply Chain Vulnerabilities
• Model Theft
• Model injection

ShellTorch vulnerabilities highlight the risk even in widely trusted projects maintained by top companies. Managed services by trusted providers may still have vulnerabilities. 

Even default self-managed containers by Amazon and Google were vulnerable to ShellTorch, although both companies have issued updates and advisories.

Mitigations

Here below, we have mentioned all the mo=itigations offered by the security experts:-

• Update TorchServe to 0.8.2 or higher, but note that this update only adds a warning, not a fix, for the SSRF vulnerability.
• To limit potential impacts, configure the management console correctly to prevent remote access using default settings.
• Ensure your server fetches models exclusively from domains that are trusted.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.