Active exploit campaign named ShadowRay targets Ray AI framework

A vulnerability within the Ray AI framework, tracked as CVE-2023-48022 (CVSS 9.8) is being actively exploited in a campaign called ShadowRay. The vulnerability allows remote attackers to execute arbitrary code through the job submission API in versions 2.6.3 and 2.8.0 of Anyscale Ray. The core issue arises from the framework's designed capability for remote code execution, which, while central to Ray's functionality, has led to this significant security concern.

According to findings in Oligo Security’s blog post, the exploit has led to the compromise of numerous Ray servers worldwide. Some of the compromised machines have been under attack for over half a year.

Attackers have been able to obtain valuable insights from command history stored on these machines, potentially exposing critical production secrets.

“As of now, Oligo has found hundreds of compromised clusters. Each cluster consists of many nodes, which are machines connected to the cluster over the network. Most nodes have GPUs, which are leveraged by attackers for cryptocurrency mining, making this infrastructure an even bigger target for attacks. In other words, attackers choose to compromise these machines not only because they can obtain valuable sensitive information, but because GPUs are very expensive and difficult to obtain, especially these days.”

Anyscale contends that the vulnerability's report is not relevant, arguing that Ray's intended use within a strictly controlled network environment mitigates such risks. So far CVE-2023-48022 remains unresolved due to its alignment with the framework's design principles and deployment best practices.

Recognizing divergent viewpoints on this matter, Anyscale has committed to integrating authentication features in future releases as part of a defense-in-depth strategy, although they maintain that reliance on internal isolation controls like authentication may not be sufficient.