A critical vulnerability just received a fix with the latest Kubernetes Image Builder release. The vulnerability existed due to hard-coded credentials allowing unauthorized access to an adversary.
Kubernetes Image Builder Vulnerability
According to its latest advisory, two security issues received patches with the latest Kubernetes Image Builder.
One of these, identified as CVE-2024-9486, existed due to hard-coded credentials enabled during the image-building process. These credentials would remain enabled even with the virtual machines (VMs) built with the Proxmox provider, exposing any nodes using the images to root access from an unauthorized adversary.
This vulnerability impacted Kubernetes Image Builder versions v0.1.37 and earlier if built with Proxmox provider. The details about this vulnerability are available on GitHub here.
To mitigate the flaw, Kubernetes recommends that its users rebuild images with the patched Image Builder versions and deploy them to the VMs.
This vulnerability received a critical severity rating, with a CVSS score of 9.8. It first got the attention of the security researcher Nicolai Rybnikar from Rybnikar Enterprises GmbH. The project’s team addressed the issue in response, releasing the fix with Kubernetes Image Builder v0.1.38. The advisory acknowledged Marcus Noble of the Image Builder project for patching the issue.
In addition, the same Image Builder release also addressed another security flaw, identified as CVE-2024-9594. This medium-severity vulnerability (CVSS 6.3) is the same issue explained above; however, the severity is less for images built with Nutanix, OVA, QEMU, or raw providers. Hence, it’s identified separately and explained here on GitHub.
Users must ensure updating to the Kubernetes Image Builder version 0.1.38 or later to receive all the patches and avoid potential risks. In cases where an immediate update isn’t possible, Kubernetes’ Team advised users to disable the builder account using the command: usermod -L builder
on affected VMs.
Let us know your thoughts in the comments.
1 comment
Comments are closed.
Add Comment