Security News > 2024 > March > Hackers exploit Ray framework flaw to breach servers, hijack resources
Ray is an open-source framework developed by Anyscale that is used to scale AI and Python applications across a cluster of machines for distributed computational workloads.
In November 2023, Anyscale disclosed five Ray vulnerabilities, fixing four tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023.
"The remaining CVE - that Ray does not have authentication built in - is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," reads the AnyScale security advisory.
Specifically, Anyscale stated that the flaw is exploitable only in deployments that violated the recommendations in the project's documentation to limit Ray's use in a strictly controlled network environment.
Following these discoveries, Oligo says they alerted many companies that were breached using the Ray bug and provided assistance with remediation.
To secure Ray deployments, it's crucial to operate within a secured environment by enforcing firewall rules, adding authorization to the Ray Dashboard port, and continuously monitoring for anomalies.
News URL
Related news
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems (source)
- Finland confirms APT31 hackers behind 2021 parliament breach (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-28 | CVE-2023-48023 | Server-Side Request Forgery (SSRF) vulnerability in Anyscale RAY 2.6.3/2.8.0 Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. | 9.1 |
| 2023-11-16 | CVE-2023-6020 | Missing Authorization vulnerability in RAY Project RAY LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | 7.5 |
| 2023-11-16 | CVE-2023-6021 | Path Traversal vulnerability in RAY Project RAY LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. | 7.5 |
| 2023-11-16 | CVE-2023-6019 | OS Command Injection vulnerability in RAY Project RAY A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. | 9.8 |