Significant NVIDIA Container Toolkit Vulnerability May Provide Complete Host Access to Intruders
A critical vulnerability has been revealed in the NVIDIA Container Toolkit, which, if exploited successfully, might enable attackers to escape the confines of a container and attain complete control over the host system.
The vulnerability, known as CVE-2024-0132, has a CVSS score of 9.0 out of 10.0. It has been fixed in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2.
“NVIDIA Container Toolkit 1.16.1 or prior versions feature a Time-of-check Time-of-Use (TOCTOU) vulnerability in default configurations where a specifically crafted container image may gain access to the host file system,” stated NVIDIA in an advisory announcement.
“A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.”
The issue affects all versions of NVIDIA Container Toolkit up to and including v1.16.1, as well as Nvidia GPU Operator up to and including 24.6.1. Nonetheless, it does not impact scenarios where Container Device Interface (CDI) is utilized.
Discovered and reported to NVIDIA on September 1, 2024, by cloud security company Wiz, the flaw could empower an attacker who controls the container images utilized by the Toolkit to carry out a container escape and assume full control over the underlying host system.
In a hypothetical attack scenario, an intruder could exploit the weakness by fabricating a rogue container image that, when executed on the target platform either directly or indirectly, provides full access to the file system.
This threat could manifest through a supply chain attack where the victim is deceived into running the malevolent image or via services that allow shared GPU resources.
“With this access, the attacker can now reach the Container Runtime Unix sockets (docker.sock/containerd.sock),” mentioned security analysts Shir Tamari, Ronen Shustin, and Andres Riancho in their statement.
“These sockets can be used to execute arbitrary commands on the host system with root privileges, effectively taking control of the machine.”
The issue poses a serious threat to orchestrated, multi-tenant environments, as it could result in an attacker breaking out of the container and gaining access to data and secrets of other applications running on the same node, even within the same cluster.
Specific technical details of the attack have been withheld at this point to deter exploitation attempts. It is strongly advised that users promptly apply the patches to protect against potential threats.
“Although discussions surrounding AI security risks often revolve around futuristic AI-based attacks, vulnerabilities in the foundational infrastructure of the ever-expanding AI technology stack remain the immediate risks that security teams must focus on and defend against,” stated the researchers.
About Author
