A vital safety flaw has been disclosed within the NVIDIA Container Toolkit that, if efficiently exploited, may permit risk actors to interrupt out of the confines of a container and achieve full entry to the underlying host.
The vulnerability, tracked as CVE-2024-0132, carries a CVSS rating of 9.0 out of a most of 10.0. It has been addressed in NVIDIA Container Toolkit model v1.16.2 and NVIDIA GPU Operator model 24.6.2.
“NVIDIA Container Toolkit 1.16.1 or earlier comprises a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration the place a particularly crafted container picture might achieve entry to the host file system,” NVIDIA mentioned in an advisory.
“A profitable exploit of this vulnerability might result in code execution, denial of service, escalation of privileges, info disclosure, and information tampering.”
The problem impacts all variations of NVIDIA Container Toolkit as much as and together with v1.16.1, and Nvidia GPU Operator as much as and together with 24.6.1. Nonetheless, it doesn’t have an effect on use instances the place Container Machine Interface (CDI) is used.
Cloud safety agency Wiz, which found and reported the flaw to NVIDIA on September 1, 2024, mentioned it will permit an attacker who controls the container photographs run by the Toolkit to carry out a container escape and achieve full entry to the underlying host.
In an hypothetical assault situation, a risk actor may weaponize the shortcoming by making a rogue container picture that, when run on the goal platform both instantly or not directly, grants them full entry to the file system.
This might materialize within the type of a provide chain assault the place the sufferer is tricked into working the malicious picture, or, alternatively, by way of providers that permit shared GPU assets.
“With this entry, the attacker can now attain the Container Runtime Unix sockets (docker.sock/containerd.sock),” safety researchers Shir Tamari, Ronen Shustin, and Andres Riancho mentioned.
“These sockets can be utilized to execute arbitrary instructions on the host system with root privileges, successfully taking management of the machine.”
The issue poses a extreme danger to orchestrated, multi-tenant environments, because it may allow an attacker to flee the container and procure entry to information and secrets and techniques of different purposes working on the identical node, and even the identical cluster.
Technical facets of the assault have been withheld at this stage to forestall exploitation efforts. It is extremely beneficial that customers take steps to use the patches to safeguard towards potential threats.
“Whereas the hype regarding AI safety dangers tends to concentrate on futuristic AI-based assaults, ‘old-school’ infrastructure vulnerabilities within the ever-growing AI tech stack stay the rapid danger that safety groups ought to prioritize and shield towards,” the researchers mentioned.
