Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of Container Escape Vulnerability in NVIDIA Container Toolkit (CVE-2024-0132)
Updated on 2024-11-11 GMT+08:00

Notice of Container Escape Vulnerability in NVIDIA Container Toolkit (CVE-2024-0132)

NVIDIA Container Toolkit is an open-source tool package from NVIDIA. It allows you to use NVIDIA GPUs to accelerate computing in a containerized environment. The toolkit includes a container runtime library and utilities for automatically configuring containers to leverage NVIDIA GPUs.

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2024-0132

Critical

2024-09-26

Impact

In NVIDIA Container Toolkit v1.16.1 and earlier versions, an attacker can run a malicious image, which may result in container escape and enables the attacker to obtain host permissions. Successful exploitation of this vulnerability may enable code execution, DoS, privilege escalation, information leakage, and data tampering.

Identification Method

  1. If the cluster does not have the CCE AI Suite (NVIDIA GPU) add-on installed or if the add-on version is earlier than 2.0.0, this vulnerability is not relevant.

    In earlier versions, CCE AI Suite (NVIDIA GPU) add-on are named gpu-beta or gpu-device-plugin.

  2. If CCE AI Suite (NVIDIA GPU) version is 2.0.0 or later, you can log in to the target GPU node and run the following command:
    nvidia-container-runtime --version
    • If this command is not found, this vulnerability is not relevant.
    • If the version of nvidia-container-runtime is earlier than 1.16.2, this vulnerability is present.

Mitigation

Do not run an untrusted container image in the cluster before the vulnerability is fixed.

CCE will release a new version of the CCE AI Suite (NVIDIA GPU) add-on to fix this vulnerability. Pay attention to CCE AI Suite (NVIDIA GPU) Release History.