Multiple vulnerabilities in NVIDIA Container Toolkit and GPU Operator
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-0132 CVE-2024-0133 |
| CWE-ID | CWE-367 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
NVIDIA Container Toolkit Other software / Other software solutions NVIDIA GPU Operator Other software / Other software solutions |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU97846
Risk: Medium
CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-0132
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a time-of-check, time-of-use (TOCTOU) race condition. A remote user can execute arbitrary code to the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNVIDIA Container Toolkit: - - 1.16.1
NVIDIA GPU Operator: - - 24.6.1
CPE2.3- cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_container_toolkit:1.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:24.6.1:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5582
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU97847
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0133
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a time-of-check, time-of-use (TOCTOU) race condition in the default mode of operation. A remote user can use specially crafted container image to create empty files on the host file system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNVIDIA Container Toolkit: - - 1.16.1
NVIDIA GPU Operator: - - 24.6.1
CPE2.3- cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_container_toolkit:1.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:24.6.1:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5582
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
