A newly discovered vulnerability in the NVIDIA Container Toolkit affects a wide range of AI applications, both in cloud environments and on-premise systems, which rely on the toolkit for GPU resource access.
The security flaw, identified as CVE-2024-0132, allows malicious actors to perform container escape attacks, potentially gaining full control of the host system. Once compromised, attackers can execute arbitrary commands or steal sensitive data from the host.
CVE-2024-0132 is classified as a critical security issue, earning a severity score of 9.0. It affects NVIDIA Container Toolkit versions 1.16.1 and earlier, as well as GPU Operator versions 24.6.1 and earlier. The vulnerability stems from insufficient isolation between the containerized GPU and the host system. This lack of isolation enables containers to access sensitive parts of the host filesystem or interact with runtime resources such as Unix sockets used for inter-process communication.
Although most host filesystems are mounted with read-only permissions, writable Unix sockets like ‘docker.sock’ and ‘containerd.sock’ remain vulnerable, allowing an attacker to interact directly with the host system. With a specially crafted container image, an adversary could exploit this weakness to compromise the host.
Wiz Research found that an attack can be launched either directly by sharing GPU resources or indirectly by running a malicious image from an untrustworthy source.
The vulnerability was first reported to NVIDIA by Wiz researchers on September 1st, and the company responded promptly, releasing a security patch on September 26th.
Users affected by this vulnerability should update to NVIDIA Container Toolkit version 1.16.2 and GPU Operator version 24.6.2. Although technical details on exploiting the vulnerability remain confidential to give organizations time to apply the patch, Wiz researchers plan to release more information in the future.
