ShellTorch: Critical SSRF Vulnerability (CVE-2023-43654) in TorchServe
Check now if you’re vulnerable
What is ShellTorch?
ShellTorch is a chain of critical vulnerabilities (including CVE-2023-43654, CVSS: 9.8) in the PyTorch (the most popular AI framework) model server TorchServe. ShellTorch allows access to proprietary AI models, insertion of malicious models, and leakage of sensitive data – and can be used to alter the model’s results or to execute a full server takeover.
The vulnerabilities, discovered by researchers at Oligo Security and disclosed to Amazon and Meta in July 2023, expose the management interface of TorchServe to be publicly accessible without authentication, and allow model uploads from any domain without any validation (SSRF), which results in a Remote Code Execution (RCE), putting countless thousands users at risk as the vulnerabilities can be easily exploited directly from the internet. ShellTorch impacts thousands of services, including in many Fortune 500 organizations.
Who Is Impacted?
Any organization using TorchServe version prior to 0.8.2 is impacted. Version 0.8.2 does not fully remediate the vulnerability but warns users.
Mitigation Steps
We have created a step-by-step guide to mitigating your risk from ShellTorch in our blog.
ShellTorch Vulnerabilities Overview
By exploiting ShellTorch, an attacker can execute code and take over the target server. This includes abusing an API misconfiguration that allows accessing the management console remotely without any authentication and exploiting a remote Server-Side Request Forgery (SSRF) vulnerability that allows uploading a malicious model that leads to code execution. Our research team has also found another unsafedeserialization vulnerability that can be triggered remotely, which exposes another attack vector to execute arbitrary code (persistent RCE).
Using high privileges granted by these vulnerabilities, it is possible to view, modify, steal, or delete AI models and sensitive data flowing into and from the target Torchserve server.
About Oligo Research
Oligo Research Team is a group of experienced researchers who focus on new attack vectors in open source software. The team identifies critical issues and alerts Oligo customers and the technology community about their findings. The team has already reported dozens of vulnerabilities in popular OSS projects and libraries, including Apache Cassandra and Atlassian Confluence. Their work has been featured at DEFCON 31 – and they’re just getting started.
Questions & Answers
Is my organization impacted by ShellTorch?
All organizations that directly use TorchServe to serve PyTorch models are impacted. All versions of TorchServe 0.8.1 and earlier are impacted by the vulnerability.
Where can I find more information about ShellTorch?
A more detailed explanation of ShellTorch and how it can be exploited and mitigated is available in this blog.
Who discovered ShellTorch?
The research team at Oligo Security aimed to apply their proficiency in identifying vulnerabilities to enhance the security of AI projects, observing a substantial increase in AI usage and developments over the past year.
Given the ramifications for responsible AI, the surge in the utilization of open-source software-based AI frameworks was noteworthy. The team observed that discourse on AI risk often overlooked the inherent vulnerabilities arising from the reliance on open-source software, creating exploitable opportunities for attackers.
TorchServe is widely used globally and is a crucial dependency for many AI projects and vendors. The detection of multiple, easily exploitable vulnerabilities in TorchServe revealed significant potential for abuse of trusted AI models by organizations, governments, and militaries worldwide.
To address these issues responsibly, the team engaged collaboratively with the PyTorch maintainers and the security teams of Amazon and Meta. This synergy enabled the comprehensive disclosure of the vulnerabilities and facilitated a profound understanding of the associated risks and their mitigation strategies.
What can attackers potentially do using ShellTorch?
Attackers can use ShellTorch to steal information used by AI models (including proprietary or sensitive data), intentionally corrupt models to generate false or misleading answers, or take over servers with full remote code execution capabilities. These potential exploits are only the tip of the iceberg – with privileged access and remote code execution, the possibilities for misuse are endless, bounded only by the creativity of the attackers.
Due to the extreme potential impact of these exploits, it is crucial for organizations to implement the aforementioned mitigation strategies to minimize the risk of a breach.
