NVIDIA Container Toolkit Vulnerability Allows for File System Access
CVE-2024-0132

8.3HIGH

Key Information:

Vendor
Nvidia
Status
Container Toolkit
Gpu Operator
Vendor
CVE Published:
26 September 2024

Badges

๐Ÿ“ˆ Score: 273๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2024-0132?

CVE-2024-0132 is a vulnerability identified in the NVIDIA Container Toolkit, specifically in versions 1.16.1 and earlier. This toolkit is designed to facilitate the management and deployment of GPU-accelerated applications in containerized environments. The vulnerability stems from a Time-of-check Time-of-use (TOCTOU) flaw that can occur when the toolkit is configured with default settings. If exploited, this vulnerability could grant malicious actors unauthorized access to the host file system, leading to several adverse outcomes for organizations relying on this technology.

Technical Details

CVE-2024-0132 allows a specifically crafted container image to potentially alter its behavior while checking access permissions, resulting in unauthorized access to the host file system. This exploit hinges on the timing of file checks and their subsequent usage, thus enabling attackers to manipulate how the container interacts with the host. This issue specifically affects setups that do not implement Container Device Interface (CDI).

Potential Impact of CVE-2024-0132

  1. Code Execution: Successful exploitation of this vulnerability could enable attackers to execute arbitrary code on the host system, potentially leading to full system compromise.

  2. Escalation of Privileges: Attackers may gain elevated privileges, allowing them to perform actions that would typically require higher access levels, thus increasing the scope of their malicious activities.

  3. Data Tampering and Information Disclosure: The vulnerability can lead to unauthorized access to sensitive data, risking data integrity and confidentiality, which may have serious implications for data governance and compliance within organizations.

Affected Version(s)

Container Toolkit Linux All versions up to and including v1.16.1

GPU Operator Linux All versions up to and including 24.6.1

News Articles

favicon imageCyber Kendra

Researcher Discovers Critical NVIDIA Container Vulnerability

Security researchers at Wiz have uncovered a critical vulnerability (CVE-2024-0132) in NVIDIA's Container Toolkit that could allow attackers to escape container isolation and gain full access to host...

favicon imagewiz.io

NVIDIA AI vulnerability:ย  Deep Dive into CVE 2024-0132 | Wiz Blog

Critical severity vulnerability (CVE-2024-0132) affecting Container Toolkit and GPU Operator may present risk to cloud service providers

favicon imageThe Stack

October Patch Tuesday: MSFT patches 2 exploited zero days

Microsoft has patched a brace of zero days that are under active attack as part of October Patch Tuesday 2024.

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5582

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by wiz.io

  • Vulnerability published

  • Vulnerability Reserved

.