Ausnutzung von Schwachstellen
Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks
A previously disclosed vulnerability in NVIDIA Container Toolkit has an incomplete patch, which, if exploited, could put a wide range of AI infrastructure and sensitive data at risk.
Save to Folio
Summary:
- Trend Research identified that NVIDIA’s September 2024 security update for a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit was incomplete, leaving systems potentially vulnerable to container escape attacks. Additionally, researchers discovered a denial-of-service (DoS) vulnerability affecting Docker on Linux.
- Exploiting these vulnerabilities could enable attackers to access sensitive host data or cause significant operational disruption by exhausting host resources. Successful exploitation could lead to unauthorized access to sensitive host data, theft of proprietary AI models or intellectual property, severe operational disruptions, and prolonged downtime due to resource exhaustion or system inaccessibility.
- Organizations utilizing the NVIDIA Container Toolkit or Docker in AI, cloud, or containerized environments are directly affected, particularly those using default configurations or specific toolkit features introduced in recent versions. Companies deploying AI workloads or Docker-based container infrastructure are potentially at risk.
- Trend Vision One™ provides visibility and detection capabilities for potential attacks that can take advantage of the vulnerability. For additional best practices and detailed recommendations, see the mitigation guidance provided below.
In September 2024, NVIDIA released several updates to address a critical vulnerability (CVE-2024-0132) in its NVIDIA Container Toolkit. If exploited, this vulnerability could expose AI infrastructure, data, or sensitive information. With a CVSS v3.1 rating of 9.0, all customers were advised to update their affected software immediately.
Further research, however, uncovered that the patch was incomplete. While analyzing the patch in October 2024, we identified a related performance flaw affecting Docker on Linux. These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions.
Analysis of CVE-2024-0132 uncovered an issue that could lead to denial of service
A time-of-check time-of-use (TOCTOU) vulnerability persists within the NVIDIA Container Toolkit, which allows a specially crafted container to access the host file system. Default configurations remain vulnerable for versions 1.17.3 and earlier, while version 1.17.4 requires the feature allow-cuda-compat-libs-from-container to be explicitly enabled.
This vulnerability was found during the review of patches for CVE-2024-0132 and this has been disclosed under ZDI-25-087.
| Product | Affected Versions |
| nvidia_container_toolkit | · 1.17.3 and earlier |
| · 1.17.4 need a feature to be enabled |
Table 1. While earlier versions of the NVIDIA Container Toolkit are vulnerable, version 1.17.4 needs to have a feature enabled to be exploitable.
There’s also a performance issue potentially leading to a denial-of-service (DoS) vulnerability on the host machine. This issue affects Docker on Linux systems. According to the Docker security team:
The Docker API as a privileged interface. Consequently, any user with API access effectively holds root-level privileges on the host. It remains unclear whether this issue originates from Docker’s runtime or the Linux’s kernel handling of mount entries.
How the exploitation works for the DoS-binding issue
The same performance issue has also been reported independently by moby and NVIDIA:
- When a new container is created with multiple mounts configured using (bind-propagation=shared), multiple parent/child paths are established. However, the associated entries are not removed in the Linux mount table after container termination.
- This leads to a rapid and uncontrollable growth of the mount table, exhausting available file descriptors (fd). Eventually, Docker is unable to create new containers due to fd exhaustion.
- This excessively large mount table leads to a huge performance issue, preventing users from connecting to the host (i.e., via SSH).
An example of the potential exploitation of ZDI-25-087
The following steps outline how a potential attack could unfold:
- An attacker creates two malicious container images connected to each other via volume symlink.
- The attacker runs the images on the victim’s platform, either directly or indirectly (e.g., supply chain and social engineering attacks).
- This enables the attacker to gain access to the host file system via race condition.
- With this access, the attacker can subsequently access the Container Runtime Unix sockets to execute arbitrary commands with root privileges, i.e., gaining full remote control of the compromised system.
Security best practices for mitigating the vulnerability
To effectively mitigate vulnerabilities related to NVIDIA Container Toolkit (CVE-2024-0132 and associated Docker file system binding issue), we recommend the following best practices:
- Restrict Docker API access and privileges. Limit API access to authorized personnel only. Avoid granting unnecessary root-level permissions or privilege escalation to minimize potential exposure.
- Disable non-essential features. To reduce the attack surface, explicitly disable optional features introduced in NVIDIA Container Toolkit 1.17.4 unless operationally required.
- Implement container image admission controls. Enforce strong admission control policies within CI/CD pipelines. Automatically scan and block container images identified as vulnerable before deployment into production environments.
- Monitor the Linux mount table. Regularly inspect the Linux mount table for abnormal growth, as rapid increases in entries can signal active exploitation attempts or preparation for DOS attacks.
- Regularly audit container-to-host interactions. Conduct periodic audits of container-to-host filesystem bindings, volume mounts, and socket connections. Limit these interactions strictly to essential use cases, applying robust isolation strategies to minimize risks.
- Deploy runtime anomaly detection. Implement runtime monitoring tools capable of identifying anomalous behaviors indicative of exploitation, such as unauthorized host filesystem binding or unusual container activities.
- Conduct patch validation. Immediately validate all applied security patches. Given previous incomplete resolutions, thorough verification post-patching is essential to confirm effective vulnerability mitigation.
Proactive security with Trend Vision One™
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.
Trend Vision One provides protection and detection capabilities through the following:
- Observed Attack Techniques (OAT): XSAE.F8306
- Docker Root Filesystem Binding and XSAE.F11714
- Docker Root Filesystem Binding via docker.sock Workload Behaviors (WB):
- Suspicious Container Creation via Root Filesystem Binding
- Docker Root Filesystem Binding
- Suspicious Container Creation With Root Filesystem Binding via Socket
Trend Micro has also added a Time-Critical Vulnerability alert in the Trend Vision One Executive Dashboard that will be continually updated with additional information related to prevention and detection as it becomes available.
Rapid patching remains the most effective mitigation, but it might not always be feasible especially in complex or critical production environments. Trend Vision One™ Cloud Workload Security provides essential visibility and detection capabilities, such as detecting host file system binding to containers and running malicious containers escaping to the host file system.
Additionally, Trend Vision One™ Container Security proactively identifies vulnerabilities, malware, and compliance violations within container images. Detection capabilities for CVE-2024-0132 and the newly identified vulnerability from its failed patch are already available and integrates directly into Trend Vision One™ Cyber Risk Exposure Management.
As the attacker can create a malicious image with the exploit, Trend’s solutions can help detect this vulnerability on the pipeline before the image is pushed to production. This way, if the vulnerability is detected, Container Security (admission control policy enforcement) can block the container image from being deployed into the production environment. We also detect this vulnerability at runtime, ensuring customers have full visibility of this security issue across the entire environment.