Summary: The Kubernetes Security Response Committee has revealed two critical vulnerabilities in the Kubernetes Image Builder that could allow attackers to gain root access to virtual machines. The vulnerabilities, CVE-2024-9486 and CVE-2024-9594, are linked to the use of default credentials during the image build process.
Threat Actor: Unknown | unknown
Victim: Kubernetes Users | Kubernetes Users
Key Point :
- CVE-2024-9486 (CVSS 9.8) poses the highest risk, affecting images built with the Proxmox provider due to default credentials not being disabled.
- CVE-2024-9594 (CVSS 6.3) affects images built with Nutanix, OVA, QEMU, or raw providers, where default credentials are disabled post-build but were vulnerable during the build process.
- Clusters using Kubernetes Image Builder v0.1.37 or earlier with the mentioned providers may be at risk and should upgrade to v0.1.38 or later to mitigate the vulnerabilities.
- Temporary mitigation for CVE-2024-9486 includes disabling the βbuilderβ account on affected VMs.
The Kubernetes Security Response Committee has disclosed two security vulnerabilities (CVE-2024-9486 and CVE-2024-9594) in the Kubernetes Image Builder that could allow attackers to gain root access to virtual machines (VMs). The vulnerabilities stem from the use of default credentials during the image build process.
CVE-2024-9486: Proxmox Provider Poses Highest Risk
The more severe vulnerability, CVE-2024-9486 (CVSS 9.8), specifically impacts images built with the Proxmox provider. βVirtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials,β warns the security advisory. This means attackers could exploit these credentials to gain complete control of the affected VMs.
CVE-2024-9594: Other Providers Also Affected
CVE-2024-9594 (CVSS 6.3) affects images built with the Nutanix, OVA, QEMU, or raw providers. While these images also utilize default credentials during the build process, the credentials are disabled upon completion. However, βThese images were vulnerable during the image build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring,β clarifies the advisory.
Am I Vulnerable?
Clusters running VM images built with Kubernetes Image Builder v0.1.37 or earlier and any of the mentioned providers are potentially at risk. To check your Image Builder version, you can use the commands provided in the security advisory, such as make version for git clones or docker run βrm <image pull spec> version for container image releases.
Mitigating the Threat
The Kubernetes Security Response Committee urges users to rebuild any affected images using Image Builder v0.1.38 or later, which includes the necessary fixes. For CVE-2024-9486, a temporary mitigation involves disabling the βbuilderβ account on affected VMs with the command usermod -L builder.