Security researchers at Trend Micro have raised concerns about Nvidia's patch for a critical vulnerability in the Nvidia Container Toolkit,
warning that the incomplete fix still leaves businesses vulnerable to container escape attacks.
The flaw, identified as CVE-2024-0132 and rated with a CVSS score of 9/10, was initially patched in September 2024 as a high-priority issue. However, Trend Micro now claims that the patch is “incomplete” and allows hackers to execute arbitrary commands, access sensitive data, or escalate privileges on compromised systems. Trend Micro’s analysis indicates that versions up to 1.17.3 of the toolkit remain vulnerable, while version 1.17.4 can be exploited if the feature allow-cuda-compat-libs-from-container is explicitly enabled.
Additionally, Trend Micro discovered an adjacent denial-of-service vulnerability tied to Docker on Linux systems. Containers configured with multiple mounts using bind-propagation, specifically those with the shared flag, can lead to unchecked growth in the Linux mount table. This can result in file descriptor exhaustion, causing a denial-of-service risk that disrupts container creation and prevents remote SSH connectivity.
Trend Micro advises enterprise users to limit Docker API access to authorized personnel, avoid unnecessary root-level privileges, and disable optional features in the Nvidia Container Toolkit unless absolutely necessary.
Cloud security provider Wiz notes that this flaw impacts over 35% of cloud environments using Nvidia GPUs, enabling attackers to break out of containers and gain control of the host system. The vulnerability’s widespread impact is concerning, especially given Nvidia’s prevalent use in both cloud and on-premises AI operations.
Trend Micro’s analysis explains that attackers can exploit a TOCTOU (Time-of-Check to Time-of-Use) race condition between when a container's access to the host file system is checked and when it is executed. This gap enables attackers to inject operations that bypass intended isolation, granting the container access to host resources. The patch's failure to enforce strict checks during the container's runtime leaves this vulnerability open.
“Exploiting these vulnerabilities could allow attackers to access sensitive host data, steal proprietary AI models or intellectual property, and cause significant operational disruptions or extended downtime,” Trend Micro stated.
Organizations using the Nvidia Container Toolkit or Docker in AI, cloud, or containerized environments are particularly at risk, especially those with default configurations or specific toolkit features introduced in recent versions.
“Companies deploying AI workloads or Docker-based container infrastructure are vulnerable to these risks,” Trend Micro warned.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
