Israeli-based security company Oligo has uncovered multiple vulnerabilities in TorchServe, the tool used to serve PyTorch models, that could allow an attacker to run arbitrary code on vulnerable systems. The vulnerabilities have been promptly fixed in TorchServe version 0.82.
The hottest name in AI frameworks today is PyTorch, which has completely dominated ML research and is gaining ground in private companies’ AI efforts. That’s why it shocked our researchers to discover that – with no authentication whatsoever – we could remotely execute code with high privileges, using new critical vulnerabilities in PyTorch open-source model servers (TorchServe).
Dubbed ShellTorch, the vulnerability affects thousands of vulnerable TorchServe instances that are publicly exposed, say Idan Levcovich, Guy Kaplan, and Gal Elbaz, security researchers with Oligo. Many of the affected systems belongs to several Fortune 500 companies.
Oligo researchers discovered three distinct vulnerabilities. The first one, CVE-2023-43654, is present since version 0.1.0 and is caused by TorchServe default configuration lacking proper input validation, specifically on domain names where models can be downloaded from. By exploiting this behaviour, an attacker is able to load a malicious model of their choice from any URL, which will result in the execution of arbitrary code.
The second vulnerability, CVE-2022-1471] is related to an insecure YAML dependency used in TorchServe. In particular, when a PyTorch model is loaded, it can deserialize a YAML configuration file using SnakeYAML. In combination with the first, this vulnerability allows an attacker to inject an arbitrary YAML file to trigger an unsafe deserialization attack in SnakeYAML resulting in arbitrary code execution.
The third vulnerability affects TorchServe management console. Since it is bound to all IP addresses and not just the loop back interface, as the documentation suggests, the console is accessible to external requests. Combined with the fact that TorchServe does not include authentication on its own, this implies anyone can actually access a default-configured TorchServe instance.
This combination of vulnerabilities allows us to remotely run code with high privileges without any authentication.
As Oligo's researchers explain, ShellTorch allows an attacker to reach the core of the AI infrastructure, thus gaining and leveraging TorchServe’s high privileges in order to view, modify, steal, and delete AI models.
As mentioned, TorchServe 0.8.2 fixed the three vulnerabilities described above and upgrading is the most straightforward way to safeguard your PyTorch deployment. Still, Oligo's researchers suggest PyTorch users to correctly configure the management console by setting management_address=http://127.0.0.1:8081 in config.properties to forbid external access to the management console. Likewise, users should restrict trusted domains by setting the allowed_urls properties in config.properties to a suitable value in order to restrict the domains which models can be downloaded from.