CVE-2024-0132: 
NVIDIA Container Toolkit vulnerability analysis and mitigation

Summary

Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected packages to the latest versions 1.16.2, while prioritizing hosts that are likely to run containers, especially those built from images originating in untrusted sources. Further prioritization can be achieved through runtime validation, so as to focus patching efforts on instances where the toolkit is definitely in use.

NVIDIA has published a security bulletin detailing their update and the impact of this vulnerability.

October 2, 2024 update:

AWS published an bulletin stating CVE-2024-0132 and CVE-2024-0133 affect Amazon Elastic Kubernetes Service (Amazon EKS) and Bottlerocket. Amazon released an updated EKS GPU-optimized AMIs version (v20240928) with the patched NVIDIA container toolkit, as well as Bottlerocket 1.24.0.

Technical details

The container-escape vulnerability, CVE-2024-0132, which impacts all versions of NVIDIA Container Toolkit up to and including v1.16.1, could allow attackers to escape from a container and take full control over the host machine, allowing them to access sensitive data on the host or other containers running on the same system.

In cloud platforms that allow customers to run GPU-enabled containers in shared compute environments, the vulnerability becomes even more dangerous. An attacker could deploy a harmful container, break out of it, and use the host machine’s secrets to target the cloud service’s control systems. This could give the attacker access to sensitive information, such as the source code, data, and secrets of other customers using the same service.

Affected products

CVE-2024-0132 affects NVIDIA Container Toolkit in all versions up to and including 1.16.1.

Remediation and mitigation

NVIDIA strongly advised companies and organizations to update the affected package to the patched version 1.16.2.

Patching is highly recommended for container hosts running Container Toolkit in vulnerable versions, while prioritizing hosts that are likely to run containers, especially those built from images originating in untrusted sources. Further prioritization can be achieved through runtime validation, so as to focus patching efforts on instances where the toolkit is definitely in use.

Note that Internet exposure is not a relevant factor for triaging this vulnerability, as the affected container host does not need to be publicly exposed in order to load a malicious container image. Instead, initial access vectors may include social engineering attempts against developers; supply chain scenarios such as an attacker with prior access to a container image repository; and containerized environments allowing external users to load arbitrary images (whether by design or due to a misconfiguration).

References

• NVIDIA advisory

• Wiz Research blog

• AWS bulletin