A flaw rated “critical” in Nvidia server tools could potentially allow attackers to compromise AI servers.Researchers with Wiz identified the flaw last year, which could allow an attacker to escape a container and execute high level commands or view data from other containers on the host machine.Administrators are being advised to update their Nvidia Container software.According to Wiz, this vulnerability disclosure has been roughly five months in the making. Its team posted an initial bulletin back in September providing a loose description of the flaw, but opted not to give specific details for fear threat actors would be able to suss out enough information to create working exploits.Tracked as CVE-2024-0132, the vulnerability concerns the way Nvidia’s container toolkit handles runtime commands and would leave the attacker with root privileges on the host server, if exploited.“The vulnerability enables a malicious adversary to mount the host’s root filesystem into a container, granting unrestricted access to all of the host’s files,” Wiz researchers Shir Tamari, Ronen Shustin, and Andres Riancho explained.“Moreover, with access to the host’s container runtime Unix sockets, attackers can launch privileged containers and achieve full host compromise.”More specifically, the Wiz team found that when mounting a new container, the Nvidia container software fails to properly apply restrictions that would prevent access to the host filesystem.This means that, upon mounting a new container, there could potentially be a brief window where it would be possible to load up commands that would allow access to resources that otherwise would not have been granted.“Significant and risky operations occur on the container’s filesystem, where a potential attacker could manipulate files and settings,” the Wiz crew explained.“Furthermore, these operations are executed from the host.”Should the threat actor manage to inject certain library files with malicious commands, they would potentially end up being able to load the host’s filesystem from within their container.At that point, the threat actor would essentially end up with unfettered access to everything on the host server.This is particularly serious because the flaw in present in container tools, a key part of the system AI researchers use when running their Nvidia-powered AI projects. The market for AI hardware has been a massive part of Nvidia’s business strategy in recent years, as its GPUs are uniquely well-suited for the complex operations that power AI tools. Accordingly, critical security flaws in the software powering those AI systems pose a greater threat than ever.“As we detailed in our initial blog post, this vulnerability affects any AI application — whether in the cloud or on-premises — that is running the vulnerable container toolkit,” the Wiz researchers cautioned.
