{"id":406,"date":"2024-09-27T11:49:53","date_gmt":"2024-09-27T11:49:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=406"},"modified":"2024-09-27T11:49:53","modified_gmt":"2024-09-27T11:49:53","slug":"a-critical-nvidia-container-toolkit-bug-can-allow-a-complete-host-takeover","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=406","title":{"rendered":"A critical Nvidia Container Toolkit bug can allow a complete host takeover"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Nvidia has patched a critical vulnerability affecting its container toolkit (formerly known as Nvidia docker).<\/p>\n<p>The vulnerability \u2014 tracked as CVE-2024-0132 \u2014 has been assigned a CVSS score of 9 out of 10 and can allow a rogue user or application to break out of their dedicated container and gain full access to the underlying host.<\/p>\n<p>\u201cNvidia Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system,\u201d Nvidia said in a patch note posted on its <a href=\"https:\/\/nvidia.custhelp.com\/app\/answers\/detail\/a_id\/5582\" target=\"_blank\" rel=\"noopener\">Security Bulletin<\/a>.<\/p>\n<p>The company added that, under certain circumstances, the successful exploitation of the vulnerability might allow code execution, denial of service, escalation of privileges, information disclosure, and data tampering.<\/p>\n<h2 class=\"wp-block-heading\">Time of Check Time of Use vulnerability<\/h2>\n<p>Nvidia Container Toolkit allows Nvidia containers, which are specialized software packages designed to facilitate the deployment of applications particularly involving artificial intelligence and machine learning use cases, to access the GPU hardware. It includes tools and libraries that enable applications running inside containers to utilize the GPU.<\/p>\n<p>According to a Wiz Research <a href=\"https:\/\/www.wiz.io\/blog\/wiz-research-critical-nvidia-ai-vulnerability\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, whose researchers Nvidia has credited for the discovery of the vulnerability, the flaw enables attackers controlling a toolkit-executed container image, a lightweight, standalone, executable package containing everything required to run an application, to escape that container and gain full access to the host.<\/p>\n<p>This stems from a flawed condition called \u201ctime of check time of use\u201d (TOCTOU) which is a race condition that happens when a program checks a condition and then uses the result of that check without ensuring that condition hasn\u2019t changed in the interim.<\/p>\n<p>While the specific technical details of potential exploitation weren\u2019t disclosed for security reasons, the Wiz blog shared a potential attack flow. \u201cThe attacker crafts a specially designed image to exploit CVE-2024-0132,\u201d researchers said in the blog. \u201cThe attacker runs the malicious image on the target platform. This can be performed either directly in services allowing shared GPU resources or indirectly through a supply chain or social engineering attack such as a user running an AI image from an untrusted source.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Who should patch?<\/h2>\n<p>The container-escape vulnerability, as pointed out in the patch notes, affects all Nvidia Container Toolkit versions up to and including v1.16.1. According to Wiz researchers, the Toolkit is widely used, and the flaw could be affecting 35% of cloud environments.<\/p>\n<p>\u201cThis library is widely adopted as the go-to NVIDIA-supported solution for GPU access within containers,\u201d the researchers added. \u201cMoreover, it comes pre-installed in many AI platforms and virtual machine images (like AMIs), as it\u2019s a common infrastructure requirement for AI applications.\u201d<\/p>\n<p>For shared environments like Kubernetes the bug can allow escaping a container and access data and secrets on other \u201capplications running on the same node \u2013 or even on the same cluster\u201d, exposing the entire environment. It is therefore recommended for organizations using a shared compute model to immediately update the toolkit.<\/p>\n<p>\u201cAn attacker could deploy a harmful container, break out of it, and use the host machine\u2019s secrets to target the cloud service\u2019s control systems,\u201d the researchers said. \u201cThis could give the attacker access to sensitive information, like the source code, data, and secrets of other customers using the same service.\u201d The company noted that the vulnerability does not impact use cases where Container Device Interface (CDI) is used. For everyone else looking to use the Nvidia Container toolkit, a patch is now available.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Nvidia has patched a critical vulnerability affecting its container toolkit (formerly known as Nvidia docker). The vulnerability \u2014 tracked as CVE-2024-0132 \u2014 has been assigned a CVSS score of 9 out of 10 and can allow a rogue user or application to break out of their dedicated container and gain full access to the underlying [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-406","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/406"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=406"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/406\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/407"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}