A crucial safety flaw has been disclosed within the NVIDIA Container Toolkit that, if efficiently exploited, may permit risk actors to interrupt out of the confines of a container and achieve full entry to the underlying host.
The vulnerability, tracked as CVE-2024-0132, carries a CVSS rating of 9.0 out of a most of 10.0. It has been addressed in NVIDIA Container Toolkit model v1.16.2 and NVIDIA GPU Operator model 24.6.2.
“NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system,” NVIDIA stated in an advisory.
“A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.”
The problem impacts all variations of NVIDIA Container Toolkit as much as and together with v1.16.1, and Nvidia GPU Operator as much as and together with 24.6.1. Nonetheless, it doesn’t have an effect on use instances the place Container Machine Interface (CDI) is used.
Cloud safety agency Wiz, which found and reported the flaw to NVIDIA on September 1, 2024, stated it could permit an attacker who controls the container pictures run by the Toolkit to carry out a container escape and achieve full entry to the underlying host.
In an hypothetical assault state of affairs, a risk actor may weaponize the shortcoming by making a rogue container picture that, when run on the goal platform both straight or not directly, grants them full entry to the file system.
This might materialize within the type of a provide chain assault the place the sufferer is tricked into working the malicious picture, or, alternatively, through companies that permit shared GPU sources.
“With this access, the attacker can now reach the Container Runtime Unix sockets (docker.sock/containerd.sock),” safety researchers Shir Tamari, Ronen Shustin, and Andres Riancho stated.
“These sockets can be used to execute arbitrary commands on the host system with root privileges, effectively taking control of the machine.”
The issue poses a extreme danger to orchestrated, multi-tenant environments, because it may allow an attacker to flee the container and acquire entry to knowledge and secrets and techniques of different functions working on the identical node, and even the identical cluster.
Technical facets of the assault have been withheld at this stage to stop exploitation efforts. It is extremely advisable that customers take steps to use the patches to safeguard in opposition to potential threats.
“While the hype concerning AI security risks tends to focus on futuristic AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate risk that security teams should prioritize and protect against,” the researchers stated.
