Security News > 2024 > March > Hackers exploit Ray framework flaw to breach servers, hijack resources

Ray is an open-source framework developed by Anyscale that is used to scale AI and Python applications across a cluster of machines for distributed computational workloads.
In November 2023, Anyscale disclosed five Ray vulnerabilities, fixing four tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023.
"The remaining CVE - that Ray does not have authentication built in - is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," reads the AnyScale security advisory.
Specifically, Anyscale stated that the flaw is exploitable only in deployments that violated the recommendations in the project's documentation to limit Ray's use in a strictly controlled network environment.
Following these discoveries, Oligo says they alerted many companies that were breached using the Ray bug and provided assistance with remediation.
To secure Ray deployments, it's crucial to operate within a secured environment by enforcing firewall rules, adding authorization to the Ray Dashboard port, and continuously monitoring for anomalies.
News URL
Related news
- XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Hackers exploit authentication bypass in Palo Alto Networks PAN-OS (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes (source)
- Orange Group confirms breach after hacker leaks company documents (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-11-28 | CVE-2023-48023 | Server-Side Request Forgery (SSRF) vulnerability in Anyscale RAY 2.6.3/2.8.0 Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. | 9.1 |
2023-11-16 | CVE-2023-6020 | Unspecified vulnerability in RAY Project RAY LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | 7.5 |
2023-11-16 | CVE-2023-6021 | Path Traversal vulnerability in RAY Project RAY LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. | 7.5 |
2023-11-16 | CVE-2023-6019 | Unspecified vulnerability in RAY Project RAY A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. | 9.8 |