NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining

    Cyber Security News
    1
    1
    29
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      • Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure. "This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more." The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure. Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform. It's used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others. The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023. The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by "unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution." This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time. "That Ray does not have authentication built in – is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," the company noted. It also cautions in its documentation that it's the platform provider's responsibility to ensure that Ray runs in "sufficiently controlled network environments" and that developers can access Ray Dashboard in a secure fashion.

      ที่มาแหล่งข่าว
      https://thehackernews.com/2024/03/critical-unpatched-ray-ai-platform.html

      250c81e0-dd4e-4334-a0cf-1cb60554f823-image.png สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post