A essential safety flaw has been disclosed within the NVIDIA Container Toolkit that, if efficiently exploited, might enable risk actors to interrupt out of the confines of a container and achieve full entry to the underlying host.
The vulnerability, tracked as CVE-2024-0132, carries a CVSS rating of 9.0 out of a most of 10.0. It has been addressed in NVIDIA Container Toolkit model v1.16.2 and NVIDIA GPU Operator model 24.6.2.
“NVIDIA Container Toolkit 1.16.1 or earlier accommodates a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration the place a particularly crafted container picture might achieve entry to the host file system,” NVIDIA stated in an advisory.
“A profitable exploit of this vulnerability might result in code execution, denial of service, escalation of privileges, data disclosure, and knowledge tampering.”
The difficulty impacts all variations of NVIDIA Container Toolkit as much as and together with v1.16.1, and Nvidia GPU Operator as much as and together with 24.6.1. Nonetheless, it doesn’t have an effect on use circumstances the place Container System Interface (CDI) is used.
Cloud safety agency Wiz, which found and reported the flaw to NVIDIA on September 1, 2024, stated it might enable an attacker who controls the container pictures run by the Toolkit to carry out a container escape and achieve full entry to the underlying host.
In an hypothetical assault situation, a risk actor might weaponize the shortcoming by making a rogue container picture that, when run on the goal platform both straight or not directly, grants them full entry to the file system.
This might materialize within the type of a provide chain assault the place the sufferer is tricked into working the malicious picture, or, alternatively, by way of companies that enable shared GPU sources.
“With this entry, the attacker can now attain the Container Runtime Unix sockets (docker.sock/containerd.sock),” safety researchers Shir Tamari, Ronen Shustin, and Andres Riancho stated.
“These sockets can be utilized to execute arbitrary instructions on the host system with root privileges, successfully taking management of the machine.”
The issue poses a extreme danger to orchestrated, multi-tenant environments, because it might allow an attacker to flee the container and acquire entry to knowledge and secrets and techniques of different purposes working on the identical node, and even the identical cluster.
Technical points of the assault have been withheld at this stage to stop exploitation efforts. It is extremely really helpful that customers take steps to use the patches to safeguard towards potential threats.
“Whereas the hype regarding AI safety dangers tends to give attention to futuristic AI-based assaults, ‘old-school’ infrastructure vulnerabilities within the ever-growing AI tech stack stay the quick danger that safety groups ought to prioritize and defend towards,” the researchers stated.