Critical Kubernetes Image Builder bug allows SSH root access • The Register

A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) due to default credentials being enabled during the image creation process.

Image Builder is a tool used to create images of Kubernetes virtual machines from multiple infrastructure providers. The images it creates include default credentials that can be used to gain root access to virtual machines.

This vulnerability means that virtual machine images created with the Promox provider are most at risk.

This flaw is tracked as CVE-2024-9486, has a CVSS severity rating of 9.8 out of 10 and affects virtual machine images created with the Proxmox provider on Image Builder version 0.1.37 or earlier.

The issue also affects images created with Nutanix, OVA, QEMU, or raw vendors, but in these cases it is rated 6.3 on the ten-point CVSS rating scale under a separate CVE tracker: CVE-2024-9594 .

This bug can still be exploited to gain root access. However, Nutanix, OVA, and QEMU disable credentials by default at the end of the imaging process. This gives an attacker a much shorter window to exploit CVE-2024-9594: this can only happen during the build process.

Successful exploitation of CVE-2024-9594 would require the attacker to “reach the virtual machine where the image creation was occurring and use the vulnerability to modify the image at the time the image creation was occurring said Joel Smith of Red Hat.

To fix the flaw: Upgrade to Image Builder v0.1.38 or later. This version sets a randomly generated password for the duration of the image creation, then disables the builder account at the end of the creation process.

After upgrading to a fixed version of Image Builder, users must redeploy the new images to all affected virtual machines.

Or, before upgrading and as a temporary workaround: Users can mitigate the flaw by deactivating the manufacturer’s account.

Nicolai Rybnikar of Rybnikar Enterprises found and reported the bug. ®