Shelltorch

Vulnerability updated 4 months ago (2024-05-04T20:36:45.417Z)

Download STIX

Preview STIX

ShellTorch is a critical vulnerability in the TorchServe software, as identified by Israeli security firm Oligo. The flaw, which has been assigned two CVE identifiers (CVE-2022-1471 and CVE-2023-43654), allows for server-side request forgery (SSRF) and Java deserialization remote code execution (RCE). This means that an attacker could upload a malicious model from a controlled address, leading to arbitrary code execution. Notably, one of these vulnerabilities arises from TorchServe's default setting that exposes a crucial management API to the internet, which does not require authentication for access. The ShellTorch vulnerabilities expose PyTorch models to potential remote code execution, posing significant risks to AI and machine learning solutions. An attacker exploiting these flaws can gain high privileges within the AI infrastructure, enabling them to view, modify, steal, and delete AI models, often containing a business's core intellectual property. Moreover, they could access and alter sensitive data flowing in and out from the target TorchServe server, thereby damaging the trust and credibility of the application. As of now, neither AWS nor Oligo have reported active exploitation of ShellTorch. However, due to the severity of the vulnerabilities and their potential impact, it is advised to correctly configure the management interface to close the major attack vector. While this action mitigates the primary risk, it's important to note that ShellTorch can still be exploited via additional vectors, underscoring the need for comprehensive security measures.

Description last updated: 2024-05-04T17:07:39.147Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-43654	Unspecified	2	None

Source Document References

Information about the Shelltorch Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	a year ago	Critical 'ShellTorch' Flaws Light Up Open Source AI Users, Like Google
BankInfoSecurity	a year ago	Amazon Web Services Warns of TorchServe Flaws
CERT-EU	a year ago	Cyber Security Today, Oct. 4, 2023 – Critical vulnerabilities found in Linux and TorchServe \| IT World Canada News
CERT-EU	a year ago	Looney Tunables - Linux Vulnerability Exposes Millions of Systems to Attack
CERT-EU	a year ago	Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
CERT-EU	a year ago	ShellTorch Flaw Exposes Thousands of AI Servers to RCE Attacks
CERT-EU	a year ago	ShellTorch Vulnerabilities Expose PyTorch Models to Remote Code Execution
CERT-EU	a year ago	ShellTorch vulns expose PyTorch models to remote code execution
CERT-EU	a year ago	ShellTorch flaws expose AI servers to code execution attacks