#shelltorch — Public Fediverse posts

"🚨 ShellTorch Attack: A Fiery Threat to PyTorch Models 🚨"

🔥 The #ShellTorch attack exposes millions of #PyTorch systems to critical Remote Code Execution (RCE) vulnerabilities! Researchers from Oligo Security have unveiled a series of vulnerabilities within the PyTorch Model Server, aka TorchServe. 🤖🛑

A series of critical vulnerabilities, known as 'ShellTorch,' has been discovered in the TorchServe AI model-serving tool, widely used by organizations such as Amazon, OpenAI, Tesla, Azure, Google, and Intel. These flaws can potentially allow unauthorized access and remote code execution on vulnerable servers. The vulnerabilities affect TorchServe versions 0.3.0 through 0.8.1.

One of the vulnerabilities stems from a misconfiguration in the management interface API, which exposes it to external requests without proper authentication, enabling malicious model uploads from external sources. Another issue is a remote server-side request forgery (SSRF) that can lead to remote code execution, as all domains are accepted by default. The third vulnerability involves Java deserialization, allowing attackers to execute remote code.

🔗 Vulnerabilities include:

• Unauthenticated Management Interface API Misconfiguration
• CVE-2023-43654: SSRF leading to RCE
• CVE-2022-1471: Java Deserialization RCE due to SnakeYAML library misuse

🌐 Affected organizations include giants like Walmart, Amazon, OpenAI, Tesla, Azure, Google Cloud, and Intel. The vulnerabilities allow attackers to execute code remotely with high privileges, potentially affecting thousands of IP addresses globally. 🌎🔓

🛡️ Mitigation steps:

• Update to TorchServe v0.8.2 or above 🔄
• Configure the Management Console 🛠️
• Control Model Fetching 🚫

🔗 Source: HackRead, The Hacker News

🏷️ Tags: #Cybersecurity #Vulnerability #AI #ML #PyTorch #ShellTorch #RCE #CyberAttack #InfoSec #SecurityFlaw #MachineLearning #Artificial

The researchers from Oligo have highlighted the severity of these flaws, stating that they can potentially lead to a full chain Remote Code Execution (RCE) scenario.

#Vulnerability #Cybersecurity #PyTorch #RCE #ShellTorch

https://cybersec84.wordpress.com/2023/10/04/critical-pytorch-models-vulnerability-allows-remote-code-execution/

「 #TorchServe の 3 つの欠陥により、 #PyTorch ユーザーは緊急のアップグレードが必要になる」： The Register

「本番環境でPyTorch #機械学習 モデルを拡張するためのオープンソースツールであるTorchServeにパッチが適用された3つのセキュリティ問題は、サーバー乗っ取りやリモートコード実行（RCE）につながる可能性があるという。

総称して「 #ShellTorch 」と呼ばれる 3 つの CVE によって「数万の公開されたインスタンス」が脆弱になった」

https://www.theregister.com/2023/10/04/shelltorch_vulnerabilities/

#prattohome #TheResister

「 #TorchServe の 3 つの欠陥により、 #PyTorch ユーザーは緊急のアップグレードが必要になる」： The Register

「本番環境でPyTorch #機械学習 モデルを拡張するためのオープンソースツールであるTorchServeにパッチが適用された3つのセキュリティ問題は、サーバー乗っ取りやリモートコード実行（RCE）につながる可能性があるという。

総称して「 #ShellTorch 」と呼ばれる 3 つの CVE によって「数万の公開されたインスタンス」が脆弱になった」

https://www.theregister.com/2023/10/04/shelltorch_vulnerabilities/

#prattohome #TheResister

Researchers have discovered three security vulnerabilities in TorchServe, an open-source tool for scaling PyTorch machine learning models. These vulnerabilities, collectively known as "ShellTorch," could potentially allow for server takeover and remote code execution (RCE). The flaws were found in the management interface API configuration of TorchServe, making it accessible to external requests without authentication. While there is no evidence of exploitation, it's essential to update TorchServe to the latest version (0.8.2) to mitigate these vulnerabilities and apply additional security measures to protect against potential attacks.

#Security #Python #Pytorch #AI #ML #ShellTorch #CVE #Cybersecurity #API #RCE #Infosec #Tech #TechBites #Torchserve

Researchers have discovered three security vulnerabilities in TorchServe, an open-source tool for scaling PyTorch machine learning models. These vulnerabilities, collectively known as "ShellTorch," could potentially allow for server takeover and remote code execution (RCE). The flaws were found in the management interface API configuration of TorchServe, making it accessible to external requests without authentication. While there is no evidence of exploitation, it's essential to update TorchServe to the latest version (0.8.2) to mitigate these vulnerabilities and apply additional security measures to protect against potential attacks.

#Security #Python #Pytorch #AI #ML #ShellTorch #CVE #Cybersecurity #API #RCE #Infosec #Tech #TechBites #Torchserve

Researchers have discovered three security vulnerabilities in TorchServe, an open-source tool for scaling PyTorch machine learning models. These vulnerabilities, collectively known as "ShellTorch," could potentially allow for server takeover and remote code execution (RCE). The flaws were found in the management interface API configuration of TorchServe, making it accessible to external requests without authentication. While there is no evidence of exploitation, it's essential to update TorchServe to the latest version (0.8.2) to mitigate these vulnerabilities and apply additional security measures to protect against potential attacks.

#Security #Python #Pytorch #AI #ML #ShellTorch #CVE #Cybersecurity #API #RCE #Infosec #Tech #TechBites #Torchserve

Researchers have discovered three security vulnerabilities in TorchServe, an open-source tool for scaling PyTorch machine learning models. These vulnerabilities, collectively known as "ShellTorch," could potentially allow for server takeover and remote code execution (RCE). The flaws were found in the management interface API configuration of TorchServe, making it accessible to external requests without authentication. While there is no evidence of exploitation, it's essential to update TorchServe to the latest version (0.8.2) to mitigate these vulnerabilities and apply additional security measures to protect against potential attacks.

#Security #Python #Pytorch #AI #ML #ShellTorch #CVE #Cybersecurity #API #RCE #Infosec #Tech #TechBites #Torchserve

Researchers have discovered three security vulnerabilities in TorchServe, an open-source tool for scaling PyTorch machine learning models. These vulnerabilities, collectively known as "ShellTorch," could potentially allow for server takeover and remote code execution (RCE). The flaws were found in the management interface API configuration of TorchServe, making it accessible to external requests without authentication. While there is no evidence of exploitation, it's essential to update TorchServe to the latest version (0.8.2) to mitigate these vulnerabilities and apply additional security measures to protect against potential attacks.

#Security #Python #Pytorch #AI #ML #ShellTorch #CVE #Cybersecurity #API #RCE #Infosec #Tech #TechBites #Torchserve

Amazon is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses

#TorchServe #ShellTorch #PyTorch #AI

https://therecord.media/pytorch-torchserve-vulnerabilities-amazon-meta-ai

Amazon is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses

#TorchServe #ShellTorch #PyTorch #AI

https://therecord.media/pytorch-torchserve-vulnerabilities-amazon-meta-ai

Amazon is warning users of a vulnerability affecting TorchServe — a tool used by some of the world’s biggest companies in building artificial intelligence models into their businesses

#TorchServe #ShellTorch #PyTorch #AI

https://therecord.media/pytorch-torchserve-vulnerabilities-amazon-meta-ai