A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) due to default credentials being enabled during the image build process.
Image Builder is a tool used to build Kubernetes VMs images across multiple infrastructure providers – and images it creates include default credentials which can be used to gain root access to VMs.
The vulnerability means VM images built with the Promox provider are most at risk.
This flaw is tracked as CVE-2024-9486, it earned a 9.8 out of 10 CVSS severity rating, and it affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.
The issue also affects images built with Nutanix, OVA, QEMU or raw providers, but in these instances is rated 6.3 on the ten-point CVSS rating scale under a separate CVE tracker: CVE-2024-9594.
This bug can still be abused to gain root access. However, Nutanix, OVA, and QEMU disable the default credentials at the end of the image build process. This gives an attacker a much smaller window during which to exploit CVE-2024-9594: it can only happen during the build process.
- Patch now: Critical Nvidia bug allows container escape, complete host takeover
- SolarWinds critical hardcoded credential bug under active exploit
- Thousands of Fortinet instances vulnerable to actively exploited flaw
- US and UK govts warn: Russia scanning for your unpatched vulnerabilities
Successful exploitation of CVE-2024-9594 would require the attacker "to reach the VM where the image build was happening and use the vulnerability to modify the image at the time the image build was occurring," Red Hat's Joel Smith explained.
To fix the flaw: Upgrade to Image Builder v0.1.38 or later. This version sets a randomly generated password for the duration of the image build, and then disables the builder account at the end of the build process.
After upgrading to a fixed version of Image Builder, users should re-deploy the new images to any affected VMs.
Or, prior to upgrading and as a temporary workaround: users can mitigate the flaw by disabling the builder account.
Rybnikar Enterprises' Nicolai Rybnikar found and reported the bug. ®