An active attack targeting a vulnerability in Ray, a widely used open-source AI framework, has impacted thousands of companies and servers running AI infrastructure — computing resources that were exposed to the attack through a critical vulnerability that’s under dispute and has no patch.
Oligo researchers said in a March 26 blog post that the bug lets attackers take over a company’s computing power and leak sensitive data. The flaw — CVE-2023-48022 — has been under active exploitation for the last seven months, affecting sectors such as education, cryptocurrency, and medical and video analytics companies.
Here’s how the situation developed: Late last year, the researchers said five unique vulnerabilities in Ray were disclosed to unified compute platform Anyscale, the developers and Ray maintainers. The vulnerabilities were disclosed by Bishop Fox, Bryce Bearchell and Protect AI.
Following the disclosure, Anyscale posted a blog that addressed the vulnerabilities, clarified the chain of events, and detailed how each CVE was addressed. While four of the reported vulnerabilities were fixed in Ray version 2.8.1, the fifth CVE (CVE-2023-48022) remains disputed, meaning that it was not considered a risk and was not addressed with a patch.
The Oligo researchers said because CVE-2023-48022 was disputed, many development teams are not aware this vulnerability should concern them. Some of them might have missed this documentation section of Ray, while some of them are unaware of this feature.
“When attackers get their hands on a Ray production cluster, it’s a jackpot,” wrote the researchers. “Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected and, with static security tools, undetectable.”
The Oligo researchers added that production workloads were compromised, so an attacker could affect an AI model's integrity or accuracy, steal models, and infect models during the training phase. The researchers named this CVE "ShadowRay," claiming that it was the first known instance of AI workloads actively being exploited in the wild through vulnerabilities in modern AI infrastructure.
“Previous AI workloads have been attacked, but Ray represents a new level of capability that makes it possible to blur the distinction of being the first,” said John Gallagher, vice president of Viakoo Labs. “It’s likely to be the first to give threat actors access to datasets and models, access to third-party tokens in a readable secret or environment variable and integrations of many kinds, based on the most powerful compute capabilities.”
There’s an arms race in deploying AI training workloads for a multitude of use cases, with many different software frameworks making it hard for security and cloud operations teams to keep track of what software data scientists and developers are deploying and in which configurations, explained Saumitra Das, vice president of engineering at Qualys. Das added that these AI workloads are typically deployed in the public cloud, creating an attack chain into the cloud itself, in this case, by leaking access to the metadata in APIs and secrets.
“AI workloads have been attacked before, including via access to exposed Jupyter notebooks,” said Das. “Organizations need to focus on isolating these AI workloads because they typically do not need to be publicly accessible and focus on cloud misconfigurations related to these workloads that either allow initial access into, or lateral movement from, the AI workload.”
