Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
GPU and DSP Vulnerabilities Actively Targeted
The security landscape has developed a sudden nasty rash of vulnerabilities in the drivers for GPU (Graphics Processing Unit) and DSP (Digital Signal Processing) chips - and what's worse, these vulns are being actively exploited in attacks.
Qualcomm
Qualcomm was notified by the Google Threat Analysis Group and Google Project zero that three vulnerabilities are under limited, target exploitation. The vulnerabilities are:
At the time of writing, most of these do not appear in the National Vulnerability Database, but CVE-2022-22071 was described in Qualcomm's May 2022 Security Bulletin, as a use-after-free vulnerability in Automotive Android OS. There's no real information about the first three vuln's in Qualcomm's October 2023 Security Bulletin, though, other than a statement that:
"Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices."
However, the bulletin does cover three other critical vulnerabilities:
- CVE-2023-24855 (CVSS v3.x score 9.8): Use of out-of-range pointer offset in modem causing memory corruption in Qualcomm’s Modem component occurring when processing security-related configurations before the AS Security Exchange.
- CVE-2023-28540 (CVSS v3.x score 9.1): Improper authentication in Data Modem caused by a cryptographic issue in the Data Modem component arising during the TLS handshake.
- CVE-2023-33028 (CVSS v3.x score 9.8): Memory corruption in the WLAN firmware occurring while copying the pmk cache memory without performing size checks.
ARM Mali GPU Driver
Similarly, Maddie Stone of Google's Threat Analysis Group and Jann Horn of Google Project Zero have disclosed a vulnerabilityin ARM's Midgard, Bifrost, Valhall and Arm 5th Gen GPU architecture kernel drivers:
CVE-2023-4211 (CVSS 3.x score: ARM Mali GPU kernel driver use-after-free vulnerability allows a local non-privileged user to access already freed memory via improper GPU memory processing operations
The issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0, but there is evidence that it is under limited, targeted exploitation, and CISA has added it to its Known Exploited Vulnerabilities Catalog.
ARM, Mali GPU Driver Vulnerabilities, advisory, 2 October 2023. Available online at https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities.
Qualcomm, October 2023 Security Bulletin, advisory, 2 October 2023. Available online at https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html.
ShellTorch RCE Vulnerability Affects AI Models
PyTorch is a popular open-source machine learning framework which is widely used in production, often via TorchServe. TorchServe is an open-source package for serving and scaling PyTorch models, primarily used in training and developing AI models. While TorchServe is maintained by Meta and Amazon, it counts Amazon, OpenAI, Tesla, Microsoft, Google and Intel among its users.
Now researchers at Oligo Security have reported the discovery of a number of a number of critical vulnerabilities in TorchServe which provide an exploit chain leading to remote code execution. Thousands of vulnerable instances are publicly exposed, including many at the companies named above.
The default configuration of TorchServe accidentally exposes the management interface to the entire world (by binding to all interfaces rather than just localhost), without any form of authentication. This can be combined with CVE-2023-43654, a server-side request forgery vulnerability (CVSS 3.x score 9.8) in the management interface that provides remote code execution, allowing configuration uploads from any domain. The researchers also found that TorchServe can be exploited via an unsafe deserialization vulnerability in the SnakeYAML library (CVE-2022-1471), giving a malicious model the capability of remote code execution.
The exploitation chain, called "ShellTorch", ends with the complete takeover of an AI model - and there are tens of thousands of exposed instances of vulnerable TorchServe applications around the world.
The vulnerabilities are present in TorchServe versions 0.3.0 through to 0.8.1. However, version 0.8.2 only partially mitigates CVE-2023-43654 by alerting the user to the possibility of uploads from invalid domains. Users should go through additional steps to secure their TorchServe installations by editing the config.properties file:
Ensure that the management console binds to only the loopback interface, by adding:
And make sure the server is able to fetch models from only trusted domains, by adding a line containing them, such as:
Oligo have also made available a tool which can check a TorchServe installation for the vulnerabilities. Their blog post contains a full write-up and description.
Levcovich, Idan, Guy Kaplan and Gal Elbaz, ShellTorch: Multiple Critical Vulnerabilities in PyTorch Model Server (TorchServe) (CVSS 9.9, CVSS 9.8) Threatens Countless AI Users - Immediate Action Required, blog post, 3 October 2023. Available online at https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.