September 26, 2024 at 05:52PM
Nvidia’s Container Toolkit has a critical bug, CVE-2024-0132, rated 9.0/10 in severity, allowing an attacker to escape containers and take over the host. Nvidia issued a fix with versions v1.16.2 and v24.6.2. The vulnerability affects cloud and AI workloads, impacting 33% of cloud environments. Wiz’s security researchers found and disclosed the bug, and Nvidia confirmed its severity.
The meeting notes highlight a critical bug in Nvidia’s Container Toolkit, which could potentially allow an attacker to escape containers and gain control of the underlying host. The vulnerability, identified as CVE-2024-0132, has a high severity rating and affects several versions of Container Toolkit and Nvidia GPU Operator.
Nvidia has released fixes for this vulnerability with the latest versions of Container Toolkit (v1.16.2) and Nvidia GPU Operator (v24.6.2). However, it’s essential to note that the vulnerability does not impact use cases where Container Device Interface (CDI) is used.
The bug has been identified as a Time of Check Time of Use (TOCTOU) vulnerability, which can allow attackers to gain unauthorized access to resources. Exploiting the vulnerability would require crafting a specially designed image and getting it to run on the target platform.
The potential impacts of this vulnerability include code execution, denial of service, escalation of privileges, information disclosure, and data tampering. Organizations using Nvidia’s Container Toolkit are urged to deploy the fix promptly to mitigate the risk.
Wiz, the security research firm that discovered the bug, has not disclosed too many technical details about its exploitation in order to give vulnerable organizations time to deploy the fix. However, they have indicated that further details, including exploit information, will be shared in the future.
In summary, it’s crucial for organizations using Nvidia’s Container Toolkit to update to the latest versions and stay vigilant for further guidance from security researchers.