Nvidia Container Toolkit recently discovered a critical vulnerability that allows attackers to go beyond the container and gain full access to the host system. The vulnerability was identified as cve-2024-0132 and scored 9.0 out of 10 on the CVSS scale.
This vulnerability affects all versions of NVIDIA Container Toolkit up to V1.16.1 and NVIDIA GPU Operator up to version 24.6.1. The vulnerability is attributed to the Time-Of-Check Time-Of-Use (TOCTOU) mechanism.
By exploiting this vulnerability with default settings, a specially crafted container image can gain access to the host file system. This access can lead to the execution of arbitrary code, denial of service, privilege escalation, information disclosure, and data manipulation. The vulnerability, however, does not impact cases where the Container Device Interface (CDI) interface is utilized.
The vulnerability was discovered by Wiz, who notified NVIDIA on September 1. According to researchers, an attacker could exploit the vulnerability by controlling container images launched through the Toolkit, enabling them to “escape from the container” and gain access to the host system.
One possible attack scenario involves creating a malicious container image that, when launched on the target platform directly or through services that share GPU resources, allows full access to the host file system. This access could be used to attack the supply chain or exploit services with shared resources.
By gaining access to the Container Runtime sockets (docker.sock/containerd.sock), an attacker could execute arbitrary commands on the root host system, effectively gaining complete control over the device.
This vulnerability poses a significant threat to orchestrated multi-tenancy environments, where an attacker could breach the container and access data and secrets from other applications running on the same node or cluster.
The vulnerability has been addressed in the NVIDIA Container Toolkit V1.16 and Nvidia GPU Operator V24.6.2. The technical details of the attacks have