A crucial safety flaw has been disclosed within the NVIDIA Container Toolkit that, if efficiently exploited, may permit menace actors to interrupt out of the confines of a container and acquire full entry to the underlying host.
The vulnerability, tracked as CVE-2024-0132, carries a CVSS rating of 9.0 out of a most of 10.0. It has been addressed in NVIDIA Container Toolkit model v1.16.2 and NVIDIA GPU Operator model 24.6.2.
“NVIDIA Container Toolkit 1.16.1 or earlier comprises a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration the place a particularly crafted container picture could acquire entry to the host file system,” NVIDIA mentioned in an advisory.
“A profitable exploit of this vulnerability could result in code execution, denial of service, escalation of privileges, data disclosure, and information tampering.”
The difficulty impacts all variations of NVIDIA Container Toolkit as much as and together with v1.16.1, and Nvidia GPU Operator as much as and together with 24.6.1. Nonetheless, it doesn’t have an effect on use instances the place Container System Interface (CDI) is used.
Cloud safety agency Wiz, which found and reported the flaw to NVIDIA on September 1, 2024, mentioned it could permit an attacker who controls the container pictures run by the Toolkit to carry out a container escape and acquire full entry to the underlying host.
In an hypothetical assault situation, a menace actor may weaponize the shortcoming by making a rogue container picture that, when run on the goal platform both immediately or not directly, grants them full entry to the file system.
This might materialize within the type of a provide chain assault the place the sufferer is tricked into working the malicious picture, or, alternatively, by way of companies that permit shared GPU sources.
“With this entry, the attacker can now attain the Container Runtime Unix sockets (docker.sock/containerd.sock),” safety researchers Shir Tamari, Ronen Shustin, and Andres Riancho mentioned.
“These sockets can be utilized to execute arbitrary instructions on the host system with root privileges, successfully taking management of the machine.”
The issue poses a extreme danger to orchestrated, multi-tenant environments, because it may allow an attacker to flee the container and procure entry to information and secrets and techniques of different purposes working on the identical node, and even the identical cluster.
Technical points of the assault have been withheld at this stage to forestall exploitation efforts. It is extremely beneficial that customers take steps to use the patches to safeguard towards potential threats.
“Whereas the hype regarding AI safety dangers tends to concentrate on futuristic AI-based assaults, ‘old-school’ infrastructure vulnerabilities within the ever-growing AI tech stack stay the fast danger that safety groups ought to prioritize and shield towards,” the researchers mentioned.
