This exposure is under active attack, yet Ray disputes that the exposure is a vulnerability and doesn't intend to fix it.
The dispute between Ray's developers and security researchers highlights hidden assumptions and teaches lessons for AI security, internet-exposed assets, and vulnerability scanning through an understanding of ShadowRay.
The researchers calculate that this vulnerability should earn a 9.8 using the Common Vulnerability Scoring System, yet Anyscale denies that the exposure is a vulnerability.
Let's examine these assumptions in the context of AI security, internet exposed resources, and vulnerability scanning.
Many others leave resources on the internet accessible with significant security vulnerabilities open to exploitation.
A search for all levels of vulnerabilities exposes millions of potential issues yet doesn't even include a disputed CVE such as ShadowRay or other accidentally misconfigured and accessible infrastructure.
Engaging a cloud-native application protection platform or even a cloud resource vulnerability scanner can help detect exposed vulnerabilities.
Anyscale's dispute of CVE-2023-48022 puts the vulnerability into a gray zone along with the many other disputed CVE vulnerabilities.
These disputed vulnerabilities merit tracking either through a vulnerability management tool or risk management program.
First, vulnerability scanning tools vary in how they handle disputed vulnerabilities, and second, these vulnerabilities need active tracking and verification.
Different vulnerability scanners and threat feeds will handle disputed vulnerabilities differently.
Some will omit disputed vulnerabilities, others might include them as optional scans, and others might include them as different types of issues.
With regards to vulnerability scanners, it won't be obvious if an existing tool scans for a specific vulnerability.
Security teams must actively follow which vulnerabilities may affect the IT environment and check to verify that the tool checks for specific CVEs of concern.
For disputed vulnerabilities, additional steps may be needed such as filing a request with the vulnerability scanner support team to verify how the tool will or won't address that specific vulnerability.
To further reduce the risk of exposure, use multiple vulnerability scanning tools and penetration tests to validate the potential risk of discovered vulnerabilities or to discover additional potential issues.
In the case of ShadowRay, Anyscale provided one tool, but free open-source vulnerability scanning tools can also provide useful additional resources.
You don't have to be vulnerable to ShadowRay to appreciate the indirect lessons that the issue teaches about AI risks, internet-exposed assets, and vulnerability scanning.
Be aware of limitations for vulnerability scanning tools, AI modeling, and employees rushing to deploy cloud resources.
Create mechanisms for teams to collaborate for better security and implement a system to continuously monitor for potential vulnerabilities through research, threat feeds, vulnerability scanners, and penetration testing.
This Cyber News was published on www.esecurityplanet.com. Publication date: Tue, 16 Apr 2024 21:28:07 +0000