A critical vulnerability in the open source compute framework for AI, Ray, has been identified by cybersecurity firm Bishop Fox. The vulnerability, tracked as CVE-2023-48023, allows unauthorized access to all nodes. This issue exists because Ray does not properly enforce authentication on its dashboard and client components.
By exploiting this vulnerability, a remote attacker could submit or delete jobs without authentication, retrieve sensitive information, and execute arbitrary code. This could lead to obtaining operating system access to all nodes in the Ray cluster. The default configuration of Ray does not enforce authentication, and there does not seem to be support for any type of authorization model.
Additionally, attackers could exploit this vulnerability using the job submission API to submit arbitrary operating system commands. Other security vulnerabilities in Ray, including a server-side request forgery (SSRF) bug (CVE-2023-48022) and an insecure input validation flaw (CVE-2023-6021), have also been identified.
Bishop Fox reported two of these issues to Ray’s maintainers, Anyscale, at the same time as Protect AI, but they were closed as the vendor claims unauthenticated remote code execution is intentional and not a vulnerability.
The cybersecurity firm warns that these critical-severity vulnerabilities in Ray remain unpatched, as the vendor does not recognize them as security defects or does not want to address them.