CVE-2024-0134

UNIX Symbolic Link (Symlink) Following (CWE-61)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 4.1EPSS 0.04%Medium
CVE info copied to clipboard

Summary

NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.

Impact

This vulnerability could allow an attacker to create unauthorized files on the host system using a specially crafted container image. While the attacker cannot control the name or location of these files, it could potentially lead to data tampering. The impact is primarily on the integrity of the system, with no direct effect on confidentiality or availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The patch details indicate that a fix has been added on 2024-11-05, as reported by bugzilla.redhat.com.

Mitigation

1. Apply the available patch as soon as possible. 2. Monitor and restrict access to container creation and management. 3. Implement strict access controls and least privilege principles for users interacting with NVIDIA Container Toolkit and NVIDIA GPU Operator. 4. Regularly audit and monitor file system changes on host systems running these NVIDIA components. 5. Keep NVIDIA Container Toolkit and NVIDIA GPU Operator up to date with the latest security releases.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-0134. See article

Nov 5, 2024 at 7:52 AM / Security feed from CyberSecurity Help
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 7:53 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 5, 2024 at 8:42 AM
CVE Assignment

NVD published the first details for CVE-2024-0134

Nov 5, 2024 at 7:15 PM
CVSS

A CVSS base score of 4.1 has been assigned.

Nov 5, 2024 at 7:20 PM / nvd
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-0134).

Nov 5, 2024 at 8:35 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Nvidia/nvidia_gpu_operator
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-27: Leveraging Race Conditions via Symbolic Links
+null more

Vendor Advisory

CVE-2024-0134
CVE Id: CVE-2024-0134 Release Date: 2024-11-05 Update Date: 2024-11-05 Impact Moderate CVSS Base Score: 4.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N Description No description is available for this CVE.

References

Security Bulletin: NVIDIA Container Toolkit - November 2024
CVE ID Description Vector Base Score Severity CWE Impacts CVE-2024-0134 NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The following table lists the software products and versions affected, and the updated version available from nvidia.com that includes this security update.
Security Bulletin: NVIDIA Container Toolkit - November 2024
Release Date: 2024-11-05 Update Date: 2024-11-05 Description NVIDIA has released a software update for NVIDIA® Container Toolkit and NVIDIA GPU Operator. To protect your system, install the software update as described in the installation section of the Details CVE-2024-0134 CVSS 3.1 Base Score: 4.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

News

Security Update for NVIDIA Container Toolkit
Development Last Updated: 11/6/2024 CVEs: CVE-2024-0134
About CVE-2024-0134 – NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability (5th Nov 2024)
Vulnerability details: NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.
CVE Alert: CVE-2024-0134
A successful exploit of this vulnerability might lead to data tampering. NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host.
NA - CVE-2024-0134 - NVIDIA Container Toolkit and NVIDIA GPU...
NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The...
CVE-2024-0134
CVE Id: CVE-2024-0134 Release Date: 2024-11-05 Update Date: 2024-11-05 Impact Moderate CVSS Base Score: 4.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N Description No description is available for this CVE.
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI