A critical vulnerability in Kubernetes could allow unauthorized SSH access to a virtual machine running an image created with the Kubernetes Image Builder project.
Kubernetes is an open-source platform that helps automate the deployment, scale, and operate virtual containers – lightweight environments for applications to run.
With Kubernetes Image Builder, users can create virtual machine (VM) images for various Cluster API (CAPI) providers, like Proxmox or Nutanix, that run the Kubernetes environment. These VMs are then used to set up nodes (servers) that become part of a Kubernetes cluster.
According to a security advisory on the Kubernetes community forums, the critical vulnerability affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.
The issue is currently tracked as CVE-2024-9486 and consists in the use of default credentials enabled during the image-building process and not disabled afterward.
A threat actor knowing this could connect over a SSH connection and use these credentials to gain access with root privileges to vulnerable VMs.
The solution is to rebuild affected VM images using Kubernetes Image Builder version v0.1.38 or later, which sets a randomly generated password during the build process, and also disables the default “builder” account after the process is done.
If upgrading is not possible at this time, a temporary solution is to disable the builder account using the command:
usermod -L builder
More information about mitigation and how to check if your system is affected is available on this GitHub page.
The bulletin also warns that the same issue exists for images built with the Nutanix, OVA, QEMU or raw providers, but it has a medium-severity rating due to additional requirements for successful exploitation. The vulnerability is now identified as CVE-2024-9594.
Specifically, the flaw can only be exploited during the build process and requires an attacker to gain access to the image-creating VM and perform actions for the default credentials to persist, thus allowing future access to the VM.
The same fix and mitigation recommendation apply for CVE-2024-9594.
