Source: www.govinfosecurity.com – Author: 1
Artificial Intelligence & Machine Learning
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development
Open-Source Tool Used By of Global Enterprises Working With AI
Mihir Bagwe (MihirBagwe) •
October 4, 2023
A clutch of vulnerabilities in an open source tool used by major corporations to scale up machine learning models could lead to remote takeover, says a cybersecurity firm in a warning downplayed by Meta, which co-manages the open source project.
See Also: Live Webinar Today | Cyber Resilience: Recovering from a Ransomware Attack
Israeli security firm Oligo in a Tuesday blog post calls a trio of TorchServe vulnerabilities, including one it discovered, “ShellTorch.”
TorchServe is an optional tool in the PyTorch library, “one of the world’s most-used machine learning frameworks,” as Oligo describes it. “PyTorch presents an attractive target to attackers who want to breach AI-based systems,” it adds in the blog post.
The vulnerability it discovered, tracked as CVE-2023-43654 allows an attacker to upload a malicious model to the server, the company says. Combined with a common misconfiguration that leaves TorchServe servers open to the internet and a previous flaw from 2022 that converts a Java message into a malicious object that can execute arbitrary code – a technique known as deserialization – hackers can “remotely run code with high privileges without any authentication,” Oligo says.
Amazon Web Services, which along with social media giant Meta runs the TorchServe project, issued an advisory on Monday. Google also published an advisory on Tuesday.
A Meta spokesperson told Information Security Media Group that the new vulnerability isn’t a problem for users who updated TorchServe week ago. “The issues in TorchServe – an optional tool for PyTorch – were patched in August rendering the exploit chain described in this blog post moot,” the spokesperson said.
Neither AWS nor Oligo have reported active exploitation of “ShellTorch ”
Original Post URL: https://www.govinfosecurity.com/amazon-web-services-warns-torchserve-flaws-a-23230
Category & Tags: –
