Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs
October 16, 2024
A critical flaw has been identified in Kubernetes, an open-source platform used for automating the deployment, scaling, and operation of application containers. This vulnerability could potentially enable unauthorized SSH access to a virtual machine (VM) that is running an image created with the Kubernetes Image Builder project. The Kubernetes Image Builder allows users to create VM images for various Cluster API (CAPI) providers such as Proxmox or Nutanix, which are then utilized to establish nodes (servers) that form part of a Kubernetes cluster.
According to a security advisory on the Kubernetes community forums, the critical vulnerability specifically impacts VM images constructed with the Proxmox provider on Image Builder version 0.1.37 or earlier. The flaw, tracked as CVE-2024-9486, arises from the use of default credentials during the image-building process which are not subsequently disabled. If a threat actor is aware of these credentials, they could establish an SSH connection and gain root access to vulnerable VMs.
The advised solution is to rebuild the impacted VM images using Kubernetes Image Builder version v0.1.38 or a later version. This updated version generates a random password during the build process and disables the default 'builder' account once the process is completed. If upgrading is not feasible, a temporary solution is to disable the builder account.
The advisory also highlights a similar issue for images built with the Nutanix, OVA, QEMU, or raw providers, designated as CVE-2024-9594. However, this flaw has a medium-severity rating due to additional prerequisites for successful exploitation. This flaw can only be exploited during the build process and requires an attacker to access the image-creating VM and perform specific actions for the default credentials to persist, thus permitting future access to the VM. The same fix and mitigation recommendations apply for CVE-2024-9594.
Latest News
- North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware
- Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree
- Critical Vulnerability in GitHub Enterprise Server Addressed
- China Denounces U.S. Claims of Volt Typhoon Cyber Espionage, Alleges Fabrication
- Nation-State Threat Actors Exploit Ivanti CSA Zero-Day Vulnerabilities
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.