Updated:
Status:
CVEs:
Fortra is actively researching vulnerabilities in NVIDIA Container Toolkit. A malicious container can exploit these vulnerabilities to gain access to the host filesystem in read-only mode. Successful exploitation and subsequent actions can lead to code execution and privilege escalation. The greatest risk appears to be that an attacker can escape from their container and gain control over other containers on the same host.
NVIDIA has released patched versions of the affected products. Customers are recommended to update to a patched version as soon as possible.
Who is affected?
The following platforms are affected by these vulnerabilities:
- NVIDIA Container Toolkit up to and including v1.16.1
- NVIDIA GPU Operator up to and including 24.6.1
What can I do?
The vendor has released patched versions of NVIDIA Container Toolkit and NVIDIA GPU Operator. Customers should update the following patched versions as soon as possible.
- NVIDIA Container Toolkit v1.16.2
- NVIDIA GPU Operator 24.6.2
For more information, refer to NVIDIA’s security bulletin.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan detection for NVIDIA Container Toolkit on October 3, 2024, and NVIDIA GPU Operator on October 8.
Fortra VM: Fortra released authenticated checks for CVE-2024-0132 and CVE-2024-0133 via Network Scanner v. 4.52.0 on October 11, 2024.
Tripwire IP360: Tripwire released authenticated scan coverage on October 10, 2024, to identify vulnerable instances. If the vulnerabilities are found, Tripwire vulnerability 666900 will match for CVE-2024-0133 or vulnerability 666899 will match for CVE-2024-0132.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
10/03/2024: Alert Logic released authenticated scan detection for NVIDIA Container Toolkit.
10/08/2024: Alert Logic released authenticated scan detection for NVIDIA GPU Operator.
10/10/2024: Tripwire IP360 released authenticated scan coverage for these CVEs.
10/11/2024: Fortra VM released authenticated checks for these CVEs.