NVIDIA has released a security update to address multiple vulnerabilities in its Container Toolkit and GPU Operator software. The update patches three security flaws that could potentially allow attackers to execute malicious code, escalate privileges, or launch denial-of-service attacks.
The most severe vulnerability, identified as CVE-2024-0135, allows a specially crafted container image to modify a host binary. An attacker successfully exploiting this vulnerability could gain code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Two other vulnerabilities, CVE-2024-0136 and CVE-2024-0137, involve improper isolation that could grant an attacker read and write access to host devices or allow untrusted code to run in the host’s network namespace.
NVIDIA has released updated versions of the Container Toolkit and GPU Operator to address these vulnerabilities. Users are urged to update their software to the latest versions as described in the installation sections of the NVIDIA Container Toolkit documentation and the NVIDIA GPU Operator documentation.
The security bulletin also provides detailed mitigation strategies for specific vulnerabilities. For instance, to mitigate CVE-2024-0136 and CVE-2024-0137, users should ensure the NVIDIA Container Toolkit is configured to use the host’s ldconfig binary.
