Ray Critical Remote Code Execution Vulnerability via DNS Rebinding Attack in Firefox and Safari

A critical remote code execution vulnerability has been identified in Ray, an AI compute engine, prior to version 2.52.0. This vulnerability affects developers using Ray as a development tool and is exploitable through the Firefox and Safari browsers. The issue arises from an inadequate defense against browser-based attacks, relying on the User-Agent header, which can be easily manipulated. When combined with a DNS rebinding attack, this vulnerability can be exploited against a developer running Ray who unknowingly visits a malicious website or encounters a malicious advertisement. The vulnerability has been patched in Ray version 2.52.0.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the developer's machine. Additionally, it can be used to target network-adjacent Ray instances by exploiting the developer's browser as an intermediary.

Reproduction

To reproduce this vulnerability, first launch Ray and ensure the dashboard is running. Then, use a tool like NCCGroup's Singularity to perform a DNS rebinding attack while the Ray dashboard is open in Firefox or Safari. Once the attack succeeds, the Ray Jobs API can be invoked to execute embedded shell code, such as opening the Calculator application.

Remediation

Users are advised to update Ray to version 2.52.0 or higher. This version includes a patch for the vulnerability and introduces a disabled-by-default authentication feature that can enhance security.