Amazon warns of ‘ShellTorch’ issue affecting code related to AI models

Siva Ramakrishnan
Amazon is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses.

Amazon is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses.

The tech giant published an advisory on Monday about the bug, CVE-2023-43654, and urged customers to update to the latest version of TorchServe in an effort to resolve the issue, which essentially exposes important administrative tools to the open internet.

CVE-2023-43654 is part of a set of vulnerabilities named “ShellTorch” by researchers from Israeli security firm Oligo, which discovered the issues.

TorchServe is a popular open-source code package in the PyTorch ecosystem, which is overseen by Amazon and Meta. The project is used by hundreds of organizations around the world, including companies like Walmart, OpenAI, Tesla, Azure, Google Cloud and Intel.

Using the vulnerabilities discovered by Oligo, a hacker could view, modify, steal or delete AI models and sensitive data that moves between the company and the TorchServe server, according to the researchers.

Oligo published details about another bug — CVE-2022-1471 — as well as an issue related to API misconfigurations.

Researchers Idan Levcovich, Guy Kaplan and Gal Elbaz said that using an IP scanner, they discovered “thousands of vulnerable instances publicly exposed, including of some of the world’s largest organizations — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover.”

They noted the popularity of PyTorch in machine learning research as well as private companies’ AI projects.

“That’s why it shocked our researchers to discover that – with no authentication whatsoever – we could remotely execute code with high privileges, using new critical vulnerabilities in PyTorch open-source model servers (TorchServe),” the Oligo researchers said. “These vulnerabilities make it possible to compromise servers worldwide. As a result, some of the world’s largest companies might be at immediate risk.”

Neither Amazon nor Oligo said the vulnerabilities are being exploited. Oligo created a free tool that organizations can use to see if they are affected by the issue. The researchers said both Meta and Amazon have released updates that address some of the issues.

The researchers also provided other advice for companies, including reconfiguring management consoles and limiting access to trusted domains. Meta did not respond to requests for comment.

The issue comes days after two other popular open source libraries — libvpx and libwebp — were found to have vulnerabilities being exploited by hackers.

Oligo noted that the TorchServe vulnerabilities underscore the grave dangers associated with artificial intelligence models relying heavily on open source software.

The White House and a handful of government agencies have called for experts to help them create policies around the cybersecurity of open source software and promote the use of more secure programming languages.

They held a summit last month on the issue and published a roadmap for how the root causes of open source issues can be addressed going forward.

Callie Guenther, senior manager of cyber threat research at cybersecurity company Critical Start, told Recorded Future News that it is now paramount that the AI models being used widely in academia and industry are not weaponized as vectors for exploits.

CVE-2023-43654, the most serious of the vulnerabilities according to experts, “accentuates the necessity of rigorously tested domain whitelisting mechanisms. An ‘allowed list’ that indiscriminately accepts all domains is, paradoxically, a glaring security loophole,” she said.

The other vulnerability — CVE-2022-1471 — is a well-known issue, Guenther explained. The fact that it is present in a tool as popular as TorchServe was another example of the “importance of thorough security reviews, especially when leveraging existing libraries.”

“Given that TorchServe has the backing of industry behemoths like Meta and Amazon and is widely used across the tech sector, such vulnerabilities can ripple across myriad applications, jeopardizing the integrity of AI models and affiliated systems,” she said.

She added that tech giants should be more proactive about using third-party security evaluations to catch issues like these earlier.

TechnologyNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Hackers seen exploiting bugs in browsers and popular file transfer tool

Next Post

Google and Yahoo say they will crack down on spam with new measures

Related Posts

Researchers Uncover First Native Spectre v2 Exploit Against Linux Kernel

Cybersecurity researchers have disclosed what they say is the "first native Spectre v2 exploit" against the Linux kernel on Intel systems that could be exploited to read sensitive data from the memory. The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI mitigations, researchers from Systems and
Avatar
Read More

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. "Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed
Avatar
Read More