Security News > 2023 > October > ShellTorch flaws expose AI servers to code execution attacks
The TorchServe flaws discovered by the Oligo Security research team can lead to unauthorized server access and remote code execution on vulnerable instances.
Due to insecure deserialization in the SnakeYAML library, attackers can upload a model with a malicious YAML file to trigger remote code execution.
"Once an attacker can breach an organization's network by executing code on its PyTorch server, they can use it as an initial foothold to move laterally to infrastructure in order to launch even more impactful attacks, especially in cases where proper restrictions or standard controls are not present," explains Oligo.
Amazon has also published a security bulletin about CVE-2023-43654, providing mitigation guidance for customers using Deep Learning Containers in EC2, EKS, or ECS. Finally, Oligo has released a free checker tool that admins can use to check if their instances are vulnerable to ShellTorch attacks.
Arm warns of Mali GPU flaws likely exploited in targeted attacks.
Millions of Exim mail servers exposed to zero-day RCE attacks.
News URL
Related news
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)
- AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface (source)
- Who's calling? The threat of AI-powered vishing attacks (source)
- New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks (source)
- Developers Beware: Slopsquatting & Vibe Coding Can Increase Risk of AI-Powered Attacks (source)
- Wallarm Agentic AI Protection blocks attacks against AI agents (source)
- Hitachi Vantara takes servers offline after Akira ransomware attack (source)
- China is using AI to sharpen every link in its attack chain, FBI warns (source)
- Critical Langflow RCE flaw exploited to hack AI app servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-28 | CVE-2023-43654 | Unspecified vulnerability in Pytorch Torchserve TorchServe is a tool for serving and scaling PyTorch models in production. | 9.8 |