A serious security vulnerability has been identified in the NVIDIA Container Toolkit that could enable attackers to escape from a container and gain full access to the underlying host system.
Tracked as CVE-2024-0132, this flaw has a CVSS score of 9.0 out of 10.0 and has been patched in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2.
According to NVIDIA’s advisory, “NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration, which could allow a specially crafted container image to access the host file system.”
Exploiting this vulnerability may lead to various security issues, including code execution, denial of service, privilege escalation, information disclosure, and data tampering.
The vulnerability affects all versions of NVIDIA Container Toolkit up to v1.16.1 and NVIDIA GPU Operator up to version 24.6.1, but does not impact scenarios where the Container Device Interface (CDI) is utilized.
Discovered and reported by cloud security firm Wiz on September 1, 2024, this flaw allows an attacker controlling the container images used by the Toolkit to execute a container escape and gain unrestricted access to the host.
In a potential attack scenario, a threat actor could exploit this vulnerability by creating a malicious container image that, when executed on the target platform, provides them with full access to the file system. This could occur through supply chain attacks or services allowing shared GPU resources.
Security researchers Shir Tamari, Ronen Shustin, and Andres Riancho noted, “With this access, the attacker can reach the Container Runtime Unix sockets (docker.sock/containerd.sock),” which can be utilized to execute arbitrary commands on the host system with root privileges.
This vulnerability presents a significant risk to orchestrated, multi-tenant environments, enabling an attacker to escape the container and access sensitive data from other applications running on the same node or cluster.
To mitigate the risk, users are strongly advised to apply the patches. The technical details of the attack have been withheld to prevent exploitation. The researchers emphasized that, while discussions around AI security risks often focus on futuristic threats, “old-school” infrastructure vulnerabilities within the rapidly evolving AI tech stack are immediate concerns that security teams must address.