CVE-2023-48022

Name of the Vulnerable Software and Affected Versions Anyscale Ray versions 2.6.3 through 2.8.0

Description Anyscale Ray versions 2.6.3 and 2.8.0 contain a remote code execution issue due to insufficient validation of incoming requests through the job submission API. Attackers can exploit this to execute arbitrary code on compromised systems. The vendor states the report is irrelevant as Ray is not intended for use outside of a strictly controlled network environment. This vulnerability, dubbed ShadowRay, has been actively exploited in campaigns to compromise AI compute clusters and create a self-propagating botnet. The campaign has impacted numerous organizations, with over 230,000 Ray servers exposed. Attackers leverage the vulnerability to deploy malicious Python payloads for resource optimization, establishing reverse shells for command and control, and implementing persistence mechanisms. The exploitation focuses on GPU resources for cryptocurrency mining and utilizes a self-propagating model to amplify exploitation and extract sensitive data. The vulnerability allows attackers to submit jobs via the

/api/v1/jobs

API endpoint without authentication.

Recommendations For Anyscale Ray versions 2.6.3 and 2.8.0, isolate dashboard endpoints, enable authentication, restrict API access, and scan for use of the Jobs API from untrusted sources.