A critical flaw in Kubernetes Image Builder could allow attackers to gain root access if exploited under specific conditions.
A critical, Kubernetes Image Builder vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), could allow attackers to gain root access if exploited under specific conditions.
Only Kubernetes clusters with nodes using VM images from the Image Builder project and its Proxmox provider are impacted by this issue.
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials.” reads the advisory. “The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.”
The vulnerability was discovered by the cybersecurity researcher Nicolai Rybnikar Rybnikar Enterprises GmbH.
The flaw has been fixed in version 0.1.38. The fixed version sets a randomly-generated password for the duration of the image build and it disables the builder account at the conclusion of the image build.
To mitigate the issue, rebuild images with the patched Image Builder version and re-deploy them. Alternatively, disable the ‘builder’ account with usermod -L builder
on affected VMs.”
Kubernetes Image Builder v0.1.38 also addressed a default credentials issue tracked as CVE-2024-9594 (CVSS 6.3).
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access.” reads the advisory. “The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kubernetes Image Builder)