NVIDIA Container Toolkit Has a Critical Flaw You Should Patch Now

• CVE-2024-0132 affects NVIDIA Container Toolkit versions through 1.16.1 and NVIDIA GPU Operator versions through 24.6.1

• NVIDIA has released a fixed version of both libraries

• No known exploitation currently

Since AI began running the world last year, we’ve seen plenty of research on AI-enabled attack techniques (which may or may not be practical) and convoluted attacks on AI systems, but there are still more than enough existing methods that work just fine. Researchers at Wiz recently discovered a critical bug in the widely deployed NVIDIA Container Toolkit that can be exploited by creating a malicious container image and would give the attacker full access to the underlying file system. From there, it’s off to the races.

“By exploiting the vulnerability, the attacker gains the ability to mount the entire host file system, obtaining full read access to the underlying host. This gives the attacker full visibility to the underlying infrastructure, and potentially allows access to other customers' confidential data,” Wiz said in its post on the vulnerability (CVE-2024-0132). 

The NVIDIA Container Toolkit is a library designed to enable access to GPUs in container images. It’s included with a number of AI platforms and the GPU Operator is a companion library used to deploy and manage the Container Toolkit. Any organization that has container hosts running a vulnerable version of these libraries should look at this flaw as a high priority for patching as quickly as possible.

The NVIDIA advisory makes it pretty clear: “A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.”

NVIDIA released the patched versions of the libraries on Sept. 25.