Detections
Analytics

NVIDIA Container Toolkit < 1.16.2 Multiple Vulnerabilities

high Nessus Plugin ID 208077

Synopsis

The remote host is missing a security update.

Description

The version of NVIDIA Container Toolkit installed on the remote host is prior to 1.16.2. It is, therefore, affected by multiple vulnerabilities as referenced in the September 2024 Security Bulletin.

 - NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. (CVE-2024-0132)

 - NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.
 (CVE-2024-0133)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to NVIDIA Container Toolkit version 1.16.2 or later.

See Also

https://nvidia.custhelp.com/app/answers/detail/a_id/5582

Plugin Details

Severity: High

ID: 208077

File Name: nvidia_container_toolkit_2024_9.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 10/3/2024

Updated: 10/3/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.9

CVSS v2

Risk Factor: High

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-0132

CVSS v3

Risk Factor: High

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:nvidia:container_toolkit

Required KB Items: installed_sw/NVIDIA Container Toolkit

Patch Publication Date: 9/25/2024

Vulnerability Publication Date: 9/25/2024

Reference Information

CVE: CVE-2024-0132, CVE-2024-0133