AWS warns of ‘ShellTorch’ issue affecting code related to AI models

Amazon Web Services is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses.

The tech giant published an advisory on Monday about the bug, CVE-2023-43654, and urged customers to update to the latest version of TorchServe in an effort to resolve the issue, which essentially exposes important administrative tools to the open internet.

CVE-2023-43654 is part of a set of vulnerabilities named “ShellTorch” by researchers from Israeli security firm Oligo, which discovered the issues.

TorchServe is a popular open-source code package in the PyTorch ecosystem, which is overseen by Amazon and Meta. The project is used by hundreds of organizations around the world, including companies like Walmart, OpenAI, Tesla, Azure, Google Cloud and Intel.

Using the vulnerabilities discovered by Oligo, a hacker could view, modify, steal or delete AI models and sensitive data that moves between the company and the TorchServe server, according to the researchers.

Oligo published details about another bug — CVE-2022-1471 — as well as an issue related to API misconfigurations.

Researchers Idan Levcovich, Guy Kaplan and Gal Elbaz said that using an IP scanner, they discovered “thousands of vulnerable instances publicly exposed, including of some of the world’s largest organizations — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover.”

They noted the popularity of PyTorch in machine learning research as well as private companies’ AI projects.

“That’s why it shocked our researchers to discover that – with no authentication whatsoever – we could remotely execute code with high privileges, using new critical vulnerabilities in PyTorch open-source model servers (TorchServe),” the Oligo researchers said. “These vulnerabilities make it possible to compromise servers worldwide. As a result, some of the world’s largest companies might be at immediate risk.”

Neither AWS nor Oligo said the vulnerabilities are being exploited. Oligo created a free tool that organizations can use to see if they are affected by the issue. The researchers said both Meta and Amazon have released updates that address some of the issues.

The researchers also provided other advice for companies, including reconfiguring management consoles and limiting access to trusted domains. Meta did not respond to requests for comment.

The issue comes days after two other popular open source libraries — libvpx and libwebp — were found to have vulnerabilities being exploited by hackers.

Oligo noted that the TorchServe vulnerabilities underscore the grave dangers associated with artificial intelligence models relying heavily on open source software.

The White House and a handful of government agencies have called for experts to help them create policies around the cybersecurity of open source software and promote the use of more secure programming languages.

They held a summit last month on the issue and published a roadmap for how the root causes of open source issues can be addressed going forward.

Callie Guenther, senior manager of cyber threat research at cybersecurity company Critical Start, told Recorded Future News that it is now paramount that the AI models being used widely in academia and industry are not weaponized as vectors for exploits.

CVE-2023-43654, the most serious of the vulnerabilities according to experts, “accentuates the necessity of rigorously tested domain whitelisting mechanisms. An ‘allowed list’ that indiscriminately accepts all domains is, paradoxically, a glaring security loophole,” she said.

The other vulnerability — CVE-2022-1471 — is a well-known issue, Guenther explained. The fact that it is present in a tool as popular as TorchServe was another example of the “importance of thorough security reviews, especially when leveraging existing libraries.”

“Given that TorchServe has the backing of industry behemoths like Meta and Amazon and is widely used across the tech sector, such vulnerabilities can ripple across myriad applications, jeopardizing the integrity of AI models and affiliated systems,” she said.

She added that tech giants should be more proactive about using third-party security evaluations to catch issues like these earlier.

Clarification (10/4/2023): This story has been updated to reflect that the advisory was published by AWS, a unit of Amazon.