AI server takeovers likely with critical TorchServe vulnerabilities

SecurityWeek reports that major companies could have their artificial intelligence infrastructure servers completely hijacked with the exploitation of flaws in the TorchServe open-source package used by Microsoft, Intel, Google, Walmart, and Amazon. Tens of thousands of TorchServe instances are impacted by two critical vulnerabilities, tracked as CVE-2023-43654 and CVE-2022-1471, which could be leveraged to facilitate remote code execution, as well as a default misconfiguration issue that could enable remote unauthenticated access, all of which could be used to allow further systems compromise, according to Oligo researchers who discovered the flaws. "Making these vulnerabilities even more dangerous: when an attacker exploits the model serving server, they can access and alter sensitive data flowing in and out from the target TorchServe server, harming the trust and credibility of the application," said Oligo, which added that lateral movement may not been needed in facilitating compromise with the flaws. Immediate application of the latest TorchServe version issued in August that addressed the vulnerabilities has been urged.