Vulnerability Discovered In Amazon/Meta Web Services

On Oct 1 Amazon Web Services warned users of a vulnerability that affects TorchServe, and instructed customers to update to the latest version in an effort to resolve the issue. If it isn’t resolved, important administrative tools are open to the internet.

The PyTorch ecosystem administered by Amazon and Meta features TorchServe. It is a popular open-source code package used globally by Walmart, Tesla, Azure, Google Cloud, and many more organizations.

The Record quotes researchers from Oligo, an Israeli cybersecurity firm that spotted the bug. They say that a hacker could view, modify, steal, or delete AI models and sensitive data that move between the company and the TorchServe server.

“It shocked our researchers to discover that – with no authentication whatsoever – we could remotely execute code with high privileges, using new critical vulnerabilities in PyTorch open-source model servers (TorchServe),” the Oligo researchers said. “These vulnerabilities make it possible to compromise servers worldwide. As a result, some of the world’s largest companies might be at immediate risk.”

Callie Guenther, senior manager of cyber threat research at cybersecurity company Critical Start, told Recorded Future News that because TorchServe has the backing of big tech like Meta and Amazon and is widely used across the tech sector, “vulnerabilities can ripple across myriad applications, jeopardizing the integrity of AI models and affiliated systems.”

The researchers advise reconfiguring management consoles and limiting access to trusted domains. The bug was discovered just days after vulnerabilities were found in two other popular open-source libraries, libvpx and libwebp. Those were already being exploited by hackers.