Bishop Fox Alerts About a Severe Flaw in Ray, an AI Compute Framework, Allowing Unauthorized Access to Nodes
Bishop Fox, a cybersecurity firm, has raised concerns about a critical vulnerability in Ray, an open-source AI compute framework. This vulnerability, identified as CVE-2023-48023, stems from Ray’s inadequate enforcement of authentication measures in specific components, such as the dashboard and client.
Exploiting this loophole, a remote attacker could manipulate job submissions, delete tasks without proper authentication, and potentially access sensitive data or execute arbitrary code, as outlined by Bishop Fox. The ramifications of this vulnerability could extend to gaining unauthorized access to all nodes within the Ray cluster or attempting to extract Ray EC2 instance credentials in AWS cloud setups.
The core issue lies in Ray’s default configuration, which lacks authentication enforcement and appears to lack support for an authorization model, despite mentioning an optional mutual TLS authentication mode in its documentation. Even if TLS authentication were enabled by a Ray administrator, the inability to assign varying permissions, like read-only access to the Ray dashboard, remains a challenge, according to Bishop Fox.
The cybersecurity firm also highlights the exploitability of CVE-2023-48023 through the job submission API, enabling the submission of arbitrary OS commands. Additionally, the absence of authentication in Ray paves the way for other security vulnerabilities, including those recently brought to light by Protect AI, the entity behind Huntr, an AI and ML bug bounty platform.
Bishop Fox mentions independently identifying two of these vulnerabilities and sharing them with Ray’s maintainers, Anyscale, concurrently with Protect AI. However, Anyscale’s stance on unauthenticated remote code execution as an intentional feature led to the closure of these reports, as per Bishop Fox.
Moreover, the Ray jobs Python SDK and client API are susceptible to unauthenticated remote code execution, allowing threat actors to exploit these avenues by crafting malicious scripts or leveraging the Ray API for task submissions.
The advisory also underscores additional critical vulnerabilities in Ray, such as a server-side request forgery (SSRF) flaw (CVE-2023-48022) and an insecure input validation issue (CVE-2023-6021), reported by Protect AI to the vendor in recent months. Despite these disclosures, some vulnerabilities remain unaddressed, either due to the vendor’s lack of acknowledgment or reluctance to remediate them.
