Tool Abuse / Excessive AgencyCritical

ShadowRay: Ray AI framework exploited in the wild (CVE-2023-48022)

March 2024  ·  Ray (Anyscale)

What happened

A missing-authentication design in the Ray distributed-compute framework's Jobs API let unauthenticated attackers run arbitrary code on internet-exposed clusters (CVE-2023-48022). Oligo Security found hundreds of production Ray servers actively compromised for cryptomining and theft of AI models, credentials, and cloud tokens. Anyscale disputed the CVE as intended behavior, so many instances stayed exposed.

Root cause

The Ray Jobs API exposed job submission with no authentication by default, so any operator who exposed the dashboard to the network handed attackers direct command execution.

Fix / outcome

Anyscale maintains the behavior is by design and recommends network isolation and an authenticating proxy rather than a code patch. Restrict the dashboard to trusted networks.

Sources

Oligo Security (discoverer)

Learn this attack class

This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database