Incomplete patching leaves Nvidia, Docker exposed to DOS attacks

Posted on by

“This issue affects Docker on Linux systems,” Trend Micro said in a blog post. “When a new container is created with multiple mounts configured using (bind-propogation=shared), multiple parent/child paths are established. However, the associated entries are not removed in the Linux mount table after container termination.”

The issue creates a bloated mount table that can spiral out of control, quickly burning through available file descriptors (FDs). As the FD supply dries up, Docker hits a wall-no longer spinning up new containers. Additionally, an oversized mount table can drag system performance, locking the users out of the host entirely, and creating a DOS condition, according to the blog.

The DOS requires a prerequisite of having elevated root-level privileges, which can be attained by a CVE-2024-0132 exploit. To explain this, Trend Micro outlines the potential attack steps involving the crafting of two malicious container images that exploit the TOCTOU flaw to gain full root-level privileges and simultaneously carry out a DOS attack.