CVE-2023-48022 Scanner

Ray, developed by Anyscale, is a distributed computing platform widely used for executing machine learning applications and parallel programming tasks. Its scalability and easy-to-use API make it popular among data scientists and engineers aiming to process large datasets and run algorithms in distributed environments. The software is often deployed in cloud-based setups and on-premises clusters, providing flexibility and robustness to various computational workflows. Companies leverage Ray for its ability to seamlessly manage clusters and optimize workloads. It is integrated into numerous AI and data engineering pipelines, supporting advanced analytics and machine learning model deployments. As a critically acclaimed tool, security within Ray's API and operation is paramount.

The Remote Code Execution (RCE) vulnerability in Ray allows a malicious actor with network access to execute arbitrary code. This high-risk vulnerability originates from the insecure handling of job submission requests by Ray's API endpoints. Attackers could exploit this flaw by sending specially crafted requests to the Ray Dashboard API, potentially gaining unauthorized control over job executions. The ease of exploitation due to the lack of authentication or authorization checks before executing jobs makes it particularly dangerous. The risk posed by this vulnerability is significant, as it can compromise the integrity, confidentiality, and availability of the systems running Ray. Given its severity, proper mitigation measures are necessary to prevent exploitation.

Technical details on this vulnerability indicate that the HTTP POST method used in submitting jobs does not sufficiently validate the content's authenticity or intent. It is the presence of generic entry points like 'id' which, when crafted maliciously, can trigger unintended code execution pathways. The use of GET requests to obtain job logs further denotes a lack of access control, as log files can include sensitive data indicative of system status or other useful outputs for an attacker. The vulnerability is exacerbated by the absence of robust input sanitation and insufficient rate limiting on the endpoint. Overall, the weak perimeter around Ray's job submission API underlies the ease with which this vulnerability can be exploited.

Possible effects of exploiting this RCE vulnerability may include the execution of unauthorized commands in the operating environment where Ray is deployed. This could lead to data breaches, tampering with processed data, disruptions in service, or even full system compromise depending on the permissions associated with the exploited processes. Attackers could further install persistent malicious software, pivot to more sensitive networked systems, or exfiltrate sensitive data. The overarching risk is that attackers gain control over workflows meant for legitimate machine learning or data processing uses. Since such platforms often process critical operations, the resulting disruption and data compromise could have significant repercussions.

REFERENCES

• https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
• https://vulncheck.com/xdb/497d7fb3b118
• https://github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022
• https://vulncheck.com/xdb/d3bafad9c9f6
• https://github.com/0x656565/CVE-2023-48022
• https://nvd.nist.gov/vuln/detail/cve-2023-48022