Introduction
A critical security vulnerability has been identified in Kubernetes Image Builder, posing significant risks to virtual machine (VM) environments. Tracked as CVE-2024-9486 [4] [5] [8], this flaw allows attackers to bypass authentication and authorization [2], potentially leading to unauthorized access [2]. The vulnerability affects specific versions of the Image Builder and has been addressed in subsequent updates. Organizations are urged to apply patches and implement robust security measures to mitigate associated risks.
Description
A critical vulnerability in Kubernetes Image Builder [6] [8] [9], tracked as CVE-2024-9486 with a CVSSv3.1 score of 9.8 [1] [5] [6] [8], poses significant risks by allowing attackers to bypass authentication and authorization processes, potentially leading to unauthorized SSH access to virtual machines (VMs) created with the Image Builder project [4]. This issue specifically affects VM images built using the Proxmox provider on Image Builder version 0.1.37 or earlier [4] [7], as default administrative credentials remain enabled during the image build process [1] [8]. Cybersecurity researcher Nicolai Rybnikar discovered this flaw, which has been emphasized by Red Hat’s Joel Smith, highlighting that these default credentials remain active in the resulting images [1], making nodes accessible [1]. Attackers can exploit this vulnerability to gain root access to vulnerable VMs [4], increasing the risk of privilege escalation, data exposure [2], and service disruption [2].
Additionally, a related security issue exists in Kubernetes Image Builder versions 0.1.37 and earlier, where default credentials are enabled when using Nutanix [3], OVA [3] [5] [6] [9], QEMU [3] [5] [6] [9], or raw providers [3] [4] [5] [6]. Although these credentials are disabled after the image build process [3], Kubernetes clusters remain vulnerable if their nodes utilize VM images created through the Image Builder project [3]. The vulnerability is significant only if an attacker can access the VM during the image build [3], allowing them to modify the image while the build is in progress [3].
This vulnerability has been addressed in version 0.1.38 of the Image Builder [8], which implements security measures by replacing default credentials with randomly generated passwords that are only active during the image build process and disabling the ‘builder’ account upon completion. Users and administrators of the affected versions are strongly advised to update to the latest version immediately [7]. To further reduce the risk of exploitation, it is recommended that users either rebuild images using the patched version and redeploy them or manually disable the ‘builder’ account on affected virtual machines using the command usermod -L builder
.
Version 0.1.38 also resolves CVE-2024-9594 (CVSS score: 6.3) [5], which concerns default credentials in images built with Nutanix [5], OVA [3] [5] [6] [9], QEMU [3] [5] [6] [9], or raw providers [3] [4] [5] [6]. This vulnerability is considered to have a lower severity due to the requirement that an attacker must have access to the VM during the image build process, as the default credentials are disabled after the build [3] [6].
Organizations using default configurations or exposing their API servers to the public internet are particularly at risk [2]. Key security management issues highlighted by these vulnerabilities include misconfigurations in Role-Based Access Control (RBAC) [2], which can create security loopholes. It is essential for organizations to implement fine-grained RBAC policies and conduct regular audits of access logs to detect unauthorized activities [2]. Furthermore, exposing the Kubernetes API server to external networks increases vulnerability; thus [2], security measures such as network segmentation and zero-trust security models should be enforced to limit access [2].
Timely application of patches is critical [2]. The Kubernetes team has released patches for CVE-2024-9486 [2], and organizations must ensure their environments are updated to mitigate risks [2]. To address these vulnerabilities [5] [6], organizations should apply the latest patches [2], review and refine RBAC configurations to enforce least privilege access [2], and monitor cluster activity for signs of compromise [2]. Proactive security measures are essential to safeguard Kubernetes environments and the critical data and services they support [2].
Conclusion
The vulnerabilities in Kubernetes Image Builder underscore the importance of maintaining up-to-date systems and implementing comprehensive security strategies. Organizations must prioritize patch management, refine access controls, and monitor systems for suspicious activities to protect against potential exploits. By adopting proactive security measures, organizations can safeguard their Kubernetes environments and ensure the integrity and confidentiality of their data and services.
References
[1] https://cionews.co.in/kubernetes-image-builder-exposes/
[2] https://nordicdefender.com/blog/cve-2024-9486-exposes-nodes-to-root-access
[3] https://www.tenable.com/cve/CVE-2024-9594
[4] https://www.blackhatethicalhacking.com/news/critical-kubernetes-flaw-exposes-vms-to-root-level-ssh-attacks/
[5] https://thehackernews.com/2024/10/critical-kubernetes-image-builder.html
[6] https://socradar.io/critical-vulnerabilities-affecting-github-enterprise-server-kubernetes-image-builder-and-givewp-plugin/
[7] https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-133
[8] https://securityaffairs.com/169919/security/kubernetes-image-builder-critical-flaw.html
[9] https://thenimblenerd.com/article/kubernetes-image-builder-vulnerability-a-root-access-comedy-of-errors/