A critical security flaw has been discovered in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the container and gain full access to the underlying host.
Vulnerability, tracked as CVE-2024-0132has a CVSS score of 9.0 out of a maximum of 10.0. It was addressed in NVIDIA Container Toolkit v1.16.2 and NVIDIA GPU Operator v24.6.2.
“NVIDIA Container Toolkit 1.16.1 or earlier contains a time-of-use check (TACT) vulnerability when used with default configuration where a specially crafted container image could access the host’s file system,” NVIDIA said in the advisory.
“Successful exploitation of this vulnerability could lead to code execution, denial of service, elevation of privilege, information disclosure, and data tampering.”
The issue affects all versions of NVIDIA Container Toolkit up to and including 1.16.1 and Nvidia GPU Operator up to and including 24.6.1. However, this does not affect Container Device Interface (CDI) use cases.
Cloud security firm Wiz, which discovered the flaw and notified NVIDIA on September 1, 2024, said it would allow an attacker controlling container images running Toolkit to perform an exit from the container and gain full access to the underlying host.
In a hypothetical attack scenario, a threat actor could exploit the flaw by creating a fake container image that, when executed directly or indirectly on the target platform, gives them full access to the file system.
This could materialize as a supply chain attack where a victim is tricked into running a malicious image, or alternatively through services that allow shared GPU resources.
“With this access, an attacker can now access Container Runtime Unix sockets (docker.sock/containerd.sock),” security researchers Shire Tamari, Ronen Schustin and Andres Riancho said.
“These sockets can be used to execute arbitrary commands on a host system with root privileges, effectively taking control of the machine.”
The issue poses a serious risk to orchestrated multi-tenant environments as it could allow an attacker to exit the container and gain access to data and secrets of other applications running on the same node and even in the same cluster.
The technical aspects of the attack have been kept under wraps at this stage to prevent exploitation attempts. Users are strongly encouraged to take steps to apply patches to protect against potential threats.
“While the hype around AI security risks tends to focus on futuristic AI-based attacks, ‘old-school’ infrastructure vulnerabilities in the ever-growing AI technology stack remain an immediate risk that security teams must prioritize and defend against them,” the researchers said. .
