Security: curl --insecure disables TLS verification during NVIDIA container build

[kvinwang]

Note: This issue documents a vulnerability that was originally reported privately as the repository security advisory GHSA-6f59-hmhr-hgf3 by @pbeza.

Root Cause

The libnvidia-container build recipe sets export CURL="curl --insecure" and enables network access during compilation via do_compile[network] = "1". This combination means that dependencies fetched during the build process have no TLS certificate verification, making the build vulnerable to man-in-the-middle attacks.

# libnvidia-container_1.00.bb:42
export CURL = "curl --insecure"

# libnvidia-container_1.00.bb:60
do_compile[network] = "1"

Attack Path

1. Attacker performs a MitM attack on the network between the build machine and upstream servers
2. Build process fetches dependencies using curl --insecure — no TLS verification
3. Attacker substitutes malicious code for legitimate dependencies
4. Malicious code is compiled into the libnvidia-container binary
5. The binary is included in all NVIDIA-enabled dstack guest images
6. Every CVM using GPU support runs the backdoored binary

Impact

Supply-chain attack: malicious code injected during the build process is included in all NVIDIA-enabled dstack images. The backdoored binary runs inside CVMs with access to all secrets and key material. This is a one-time compromise that affects all deployments using the resulting image.

Suggested Fix

1. Remove --insecure flag: export CURL = "curl" (or remove the override entirely)
2. Pin and verify checksums for all downloaded dependencies
3. Ideally, pre-fetch all dependencies during do_fetch (which supports checksums) rather than downloading during do_compile
4. If network access during compilation is unavoidable, use a local mirror with verified content

---

Note: This finding was reported automatically as part of an AI/Claude-driven internal audit by the NEAR One MPC team. It has not been manually verified by a human to confirm whether it constitutes an actual security issue.

[kvinwang]

Maintainer response (copied from private security advisory GHSA-6f59-hmhr-hgf3):

Thanks for the report. The curl --insecure flag was indeed present in the libnvidia-container recipe, likely a workaround for SSL certificate validation issues in certain build environments.

The practical impact was limited in our context:

Reproducible build verification: dstack images are released as reproducible builds. Anyone can independently rebuild the image and verify the output hash matches. If a MITM attack injected malicious code during the build, the resulting image hash would differ, and the tampering would be detected during verification.

Partial mitigation already in place: The nvidia-modprobe dependency is pre-fetched and marked as downloaded (via .download_stamp in do_configure), so it is not actually downloaded via the insecure curl during compilation.

That said, we agreed this was poor hygiene and have since fixed it — the --insecure flag has been replaced with proper CA certificate configuration using CURL_CA_BUNDLE (see PR #43).