The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.
Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.
Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.
In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans.
Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.