Nvidia Container Toolkit found to have worrying security flaws
Vulnerability could allow hackers to escape the container and cause havoc
NVIDIA Container Toolkit and GPU Operator were carrying a critical vulnerability that allowed threat actors access to the underlying host’s file system, experts have warned.
Cybersecurity researchers at Wiz discovered and reported the flaw, tracked as CVE-2024-0132, and carries a vulnerability score of 9.0/10 - critical, to Nvidia on September 1, 2024.
It is described as a Time-of-Check Time-of-Use (TOCTOU) vulnerability. To be abused the tools need to be set up in default configurations - then, a threat actor could craft a special container image that grants them access to the host file system.
Different environments at risk
"A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” the company said in a security advisory.
The bug affected all NVIDIA Container Toolkit versions to v.1.16.2, and all NVIDIA GPU Operator versions until 24.6.2, which were the first ones to have addressed the flaw. It is also worth mentioning that the vulnerability does not work when Container Device Interface (CDI) is used.
“The urgency with which you should fix the vulnerability depends on the architecture of your environment and the level of trust you place in running images,” the researchers said in their technical write-up. “Any environment that allows the use of third party container images or AI models – either internally or as-a-service – is at higher risk given that this vulnerability can be exploited via a malicious image.”
They stressed that single-tenant compute environments could be at risk if a user downloads a malicious container image from an untrusted source, giving the crooks access to the workstation. In orchestrated environments such as Kubernetes (K8), an attacker with permission to deploy a container could access data and secrets of other applications running on the same node or cluster.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via The Hacker News
More from TechRadar Pro
- A Google Kubernetes security flaw could let anyone with a Gmail account compromise your business
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.