A recently identified set of critical vulnerabilities, referred to as ‘ShellTorch', have been discovered in the open-source TorchServe AI model-serving tool, maintained by Meta and Amazon. These vulnerabilities leave tens of thousands of internet-exposed servers at risk, some of which are owned by large organizations.
Details of the ShellTorch Vulnerabilities
The vulnerabilities dubbed ShellTorch are found to impact TorchServe versions 0.3.0 to 0.8.1. The first flaw relates to an unauthenticated management interface API misconfiguration, which potentially allows unrestricted access from any user for uploading of harmful models from external addresses.
The second issue, identified as CVE-2023-43654, creates a pathway for remote server-side request forgery (SSRF), leading to remote code execution (RCE). Under normal circumstances, TorchServe's API has an allowed list of domains for fetching models' configuration files from a remote URL. However, it has been discovered that the API accepts all domains by default.
The third flaw, labeled as CVE-2022-1471, involves a Java deserialization problem resulting in remote code execution. The SnakeYAML library‘s insecure deserialization enables attackers to upload a model with a malevolent YAML file, triggering remote code execution.
If attackers synchronize these vulnerabilities, vulnerable versions of TorchServe could be fully compromised. BleepingComputer has shared the following animation about how those attacks work.
Mitigating the ShellTorch Threat: Essential Remediation Steps
Oligo Security has found tens of thousands of IP addresses that are currently exposed to ShellTorch attacks during its web scanning, some of which belonging to globally prominent organizations.
To neutralize these vulnerabilities, it is imperative for users to update to TorchServe 0.8.2. This update, however, fails to address CVE-2023-43654 but alerts the user about the SSRF threat. It's also essential to properly configure the management console by setting the management_address to http://127.0.0.1:8081. This alteration will ensure TorchServe binds to the localhost instead of every IP address configured on the server.
Another protective measure involves ensuring servers only fetch models from trusted domains. Amazon has issued an advisory regarding CVE-2023-43654, offering guidance for users employing Deep Learning Containers (DLC) in EC2, EKS, or ECS. Lastly, Oligo has released a free tool for administrators to assess if their instances are exposed to ShellTorch attacks.