{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-104.pdf" }, "title": "Critical Vulnerability in NVIDIA Container Toolkit", "serial_number": "2024-104", "publish_date": "27-09-2024 09:47:10", "description": "On September 26, 2024, a security advisory was issued regarding a critical vulnerability, CCVE-2024-0132, affecting NVIDIA Container Toolkit. NVIDIA Container Toolkit is providing containerised AI applications with access to GPU resources. This vulnerability impacts any AI application that is running the vulnerable container toolkit to enable GPU support.
\nThis vulnerability could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host.
\n", "url_title": "2024-104", "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0NVIDIA\u00a0Container\u00a0Toolkit'\nnumber: '2024-104'\nversion: '1.0'\noriginal_date: 'September 26, 2024'\ndate: 'September 27, 2024'\n---\n\n_History:_\n\n* _27/09/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 26, 2024, a security advisory was issued regarding a critical vulnerability, **CCVE-2024-0132**, affecting NVIDIA Container Toolkit. NVIDIA Container Toolkit is providing containerised AI applications with access to GPU resources. This vulnerability impacts any AI application that is running the vulnerable container toolkit to enable GPU support. \n\nThis vulnerability could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host [1].\n\n# Technical details\n\nThe vulnerability **CCVE-2024-0132** has a CVSS score of 9.0 out of 10. It is a Time-of-Check/Time-of-Use (TOC/TOU) vulnerability, a type of race condition.\n\nA successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering [2].\n\n# Affected products\n\n- NVIDIA Container Toolkit: All versions up to and including v1.16.1 \n- NVIDIA GPU Operator: All versions up to and including 24.6.1 \n\n# Recommendations\n\nCERT-EU strongly recommends affected organisations to upgrade to the latest version of Container Toolkit (v1.16.2) and NVIDIA GPU Operator (v24.6.2 )[1].\n\n# References\n\n[1] \n\n[2] ", "content_html": "

History:

Summary

On September 26, 2024, a security advisory was issued regarding a critical vulnerability, CCVE-2024-0132, affecting NVIDIA Container Toolkit. NVIDIA Container Toolkit is providing containerised AI applications with access to GPU resources. This vulnerability impacts any AI application that is running the vulnerable container toolkit to enable GPU support.

This vulnerability could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host [1].

Technical details

The vulnerability CCVE-2024-0132 has a CVSS score of 9.0 out of 10. It is a Time-of-Check/Time-of-Use (TOC/TOU) vulnerability, a type of race condition.

A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering [2].

Affected products

Recommendations

CERT-EU strongly recommends affected organisations to upgrade to the latest version of Container Toolkit (v1.16.2) and NVIDIA GPU Operator (v24.6.2 )[1].

References

[1] https://nvidia.custhelp.com/app/answers/detail/a_id/5582

[2] https://www.wiz.io/blog/wiz-research-critical-nvidia-ai-vulnerability

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }