AI workloads are in demand, and especially on Nvidia chips. This combination is now unfortunate, as a vulnerability exposes Nvidia’s Container Toolkit to 35 percent of all cloud environments.
The vulnerability in question is CVE-2024-0132. Wiz Research discovered the flaw in Nvidia’s Container Toolkit, which provides AI applications with the necessary AI computing power. It operates in conjunction with other packages to link GPUs to workloads. Organizations run this solution both in the cloud and on-prem. Given Nvidia’s massive presence in the global AI stack, Container Toolkit is an obvious choice.
Container escape
To exploit the vulnerability, control of a container image is already required. Thus, another attack path is necessary before CVE-2024-0132 can pose a risk. Then attackers can gain access to the host system, with dire consequences. Such a process is known as a container escape.
How such a container image ends up in an IT stack varies. For example, attackers can slip a malicious image to an unsuspecting user, after which the system can be taken over remotely. From a captured workstation, it is then possible for all kinds of valuable data to be extracted or lateral movement through the IT infrastructure to occur.
In a cloud environment, the image can simply be uploaded if authorized. Similarly, shared environments such as Kubernetes also allow Nvidia Container Toolkit to be abused.
Taking action
Wiz Research is not yet sharing all the details about the attack possibilities. Although a patch is already available (version 1.16.2), the researchers want to give organizations time to patch before the exact techniques are out in the open. Nvidia already has already released a security bulletin and has been continuously cooperative, according to Wiz Research.
It is now up to organizations to mitigate incrementally. Specifically, VMs are vulnerable if the Nvidia GPUs are using containers via the Nvidia Container Toolkit with images coming from an untrusted source.
Also read: Leak in Arc browser fixed after a day