Hi, I am interested in container security. Recently, I found a bypass of CVE-2024-0132 fix. The following gives the details.
Severity: Important CVSS Score: 8.3 CVSS3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Affected versions: - nvidia-container-toolkit >=v1.0.0, <=v1.17.3 Description: In handling the CUDA Forward Compatibility feature, the NVIDIA Container Toolkit's libnvidia-container library mounts files from the container's /usr/local/cuda/compat directory into the container's library directories (such as /usr/lib/x86_64-linux-gnu/). This mounting behavior is susceptible to symbolic link attacks, which can lead to arbitrary host directories being mounted in read-only mode inside the container, potentially leading to container escape. This vulnerability is a bypass of the fix for CVE-2024-0132(the first known GPU-specific container escape).The fix for CVE-2024-0132 restricted scenarios where the mount source is a symbolic link, but it can be bypassed through shared volumes and race conditions.Given the widespread adoption of NVIDIA Container Toolkit in AI/ML infrastructure, we suggest that this issue should be addressed promptly. This issue affects nvidia-container-toolkit: from the v1.0.0 version to v1.17.3. Users are recommended to upgrade to version v1.17.4,which fixes the issue, or use the CDI mode to mitigate. Credit: Lei Wang <wanglei...@huawei.com<mailto:wanglei...@huawei.com>> (finder) References: https://nvidia.custhelp.com/app/answers/detail/a_id/5616
