Nvidia reports critical flaw in Container Toolkit allowing attackers to escape containers
Take action: If you are running Container Toolkit, update it to latest version. The exploit scenario requires that a malicious image is executed on the vulnerable host toolkit, but given enough time malicious code will be injected in containers. No need to panic, but keep your Nvidia Container Toolkit patched.
Learn More
Nvidia has addressed a critical vulnerability in its widely used Container Toolkit, which could allow attackers to escape containers and take complete control of the host system.
This flaw tracked as CVE-2024-0132 (CVSS score 9.0) is a Time of Check to Time of Use (TOCTOU) race condition, affects all versions of Nvidia Container Toolkit up to and including v1.16.1, and Nvidia GPU Operator up to and including v24.6.1. Nvidia has released a patch for both, with Container Toolkit v1.16.2 and GPU Operator v24.6.2.
Security researchers from Wiz, who discovered and disclosed the vulnerability on September 1, 2023, estimate that 33% of cloud environments are using vulnerable versions of Nvidia Container Toolkit, putting them at risk. In single-tenant environments, exploitation could result from a user inadvertently running a malicious container image, potentially compromising their workstation. In shared environments, such as Kubernetes-based ones, attackers with permissions to deploy containers could escape the container and gain access to other applications' secrets or sensitive information on the same node or cluster.
Because so many AI service providers "run AI models and training procedures as containers in shared compute environments, where multiple applications from different customers share the same GPU device" the opportunity for an attacker to hop customer boundaries is ripe.
Wiz added: “ "Users run AI models and training procedures as containers in shared compute environments, where multiple applications from different customers share the same GPU device and hop the container boundary. With this access, the attacker can now reach the Container Runtime Unix sockets (docker.sock/containerd.sock). These sockets can be used to execute arbitrary commands on the host system with root privileges, effectively taking control of the machine”
Nvidia urges organizations using affected versions to patch immediately to prevent possible host takeovers. Details on the exploitation process are being withheld by Wiz to give vulnerable organizations time to apply fixes.
