A severe vulnerability in NVIDIA Container Toolkit affects all AI programs in a cloud or on-premise setting that depend on it to get right of entry to GPU sources.
The protection factor is tracked as CVE-2024-0132 and permits an adversary to accomplish container break out assaults and achieve complete get right of entry to to the host device, the place they might execute instructions or exfiltrate delicate data.
The precise library comes pre-installed in lots of AI-focused platforms and digital device photographs and is the usual software for GPU get right of entry to when NVIDIA {hardware} is concerned.
In line with Wiz Analysis, greater than 35% of cloud environments are susceptible to assaults exploiting the vulnerability.
Supply: Wiz
Container break out flaw
The protection factor CVE-2024-0132 won a critical-severity rating of 9.0. This can be a container break out downside that has effects on NVIDIA Container Toolkit 1.16.1 and previous, and GPU Operator 24.6.1 and older.
The issue is a loss of protected isolation of the containerized GPU from the host, permitting boxes to mount delicate portions of the host filesystem or get right of entry to runtime sources like Unix sockets for inter-process communique.
Whilst maximum filesystems are fastened with “read-only” permissions, sure Unix sockets akin to ‘docker.sock’ and ‘containerd.sock’ stay writable, permitting direct interactions with the host, together with command execution.
An attacker can profit from this omission by the use of a specifically crafted container symbol and succeed in the host when done.
Wiz says that such an assault may well be performed both at once, by the use of shared GPU sources, or not directly, when the objective runs a picture downloaded from a nasty supply.
Wiz researchers came upon the vulnerability and reported it to NVIDIA on September 1st. The GPU maker said the file a few days later, and launched a repair on September twenty sixth.
Impacted customers are beneficial to improve to NVIDIA Container Toolkit model 1.16.2 and NVIDIA GPU Operator 24.6.2.
Technical main points for the exploiting the protection factor stay non-public for now, to offer impacted organizations time to mitigate the problem of their environments. Alternatively, the researchers are making plans to liberate extra technical data.