Trend Micro Flags Incomplete Nvidia Patch That Leaves AI Containers Exposed – Source: www.securityweek.com

Security researchers at Trend Micro are flagging problems with Nvidia’s patch for a critical vulnerability in the Nvidia Container Toolkit, warning that the incomplete mitigation leaves enterprises exposed to container escape attacks.

The flaw, tagged as CVE-2024-0132 with a CVSS score of 9/10, was patched last September as a high-priority issue but now comes word from Trend Micro that the patch is “incomplete” and left the door ajar for hackers to execute arbitrary commands, compromise sensitive data, or escalate privileges on an affected system.

According to Trend Micro’s analysis, a specially crafted container can exploit the TOCTOU timing window between when a container’s access to the host file system is checked and when the access is actually executed. 

This gap allows an attacker to inject operations that bypass the intended isolation, effectively letting the container access or manipulate host resources. The oversight here lies in the patch’s inability to enforce strict checks that would preclude this race condition in the container’s runtime, Trend Micro explained.

“Exploiting these vulnerabilities could enable attackers to access sensitive host data or cause significant operational disruption by exhausting host resources,” Trend Micro said in its documentation of the faulty patch.

“Successful exploitation could lead to unauthorized access to sensitive host data, theft of proprietary AI models or intellectual property, severe operational disruptions, and prolonged downtime due to resource exhaustion or system inaccessibility.”

The security company said organizations utilizing the NVIDIA Container Toolkit or Docker in AI, cloud, or containerized environments are directly affected, particularly those using default configurations or specific toolkit features introduced in recent versions. 

“Companies deploying AI workloads or Docker-based container infrastructure are potentially at risk,” the company added.

According to Trend Micro’s analysis, versions up to 1.17.3 of the toolkit are inherently vulnerable, while version 1.17.4 requires an explicit enabling of the feature allow-cuda-compat-libs-from-container to be exploitable. 

In addition, Trend Micro said it uncovered an adjacent denial-of-service flaw linked to Docker on Linux systems. Containers configured with multiple mounts using bind-propagation (specifically those with the shared flag) could trigger unchecked growth in the Linux mount table. 

Trend Micro said the resulting exhaustion of file descriptors poses a serious denial-of-service risk, effectively stalling container creation and denying remote connectivity via SSH.

The company is urging enterprise users to limit the Docker API to authorized personnel only and avoid unnecessary root-level privileges and to disable optional features in the NVIDIA Container Toolkit unless they are strictly required. 

According to documentation from cloud security vendor Wiz, the flaw threatens more than 35% of cloud environments using Nvidia GPUs, allowing attackers to escape containers and take control of the underlying host system. The impact is far-reaching, given the prevalence of Nvidia’s GPU solutions in both cloud and on-premises AI operations.

Related: Critical Nvidia Flaw Exposes Cloud AI Systems to Host Takeover

Related: Nvidia Patches High-Severity Vulnerabilities in AI, Networking Products

Related: Nvidia Patches High-Severity GPU Driver Vulnerabilities

Related: Code Execution Flaws Haunt NVIDIA ChatRTX for Windows

Related: SAP AI Core Flaws Allowed Service Takeover, Customer Data Access