Security researcher Nicolai Rybnikar discovered and reported a critical vulnerability in Kubernetes Image Builder. The critical flaw has been flagged in Kubernetes Image Builder, which, on successful exploitation, would grant root access to malicious actors under specific conditions. The vulnerability, tracked under reference CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38.
The flaw arises in the Kubernetes Image Builder where default credentials get enabled during the process. However, the condition for this vulnerability is that the nodes should use virtual machine images created via the Image Builder project with the Proxmox provider.
The virtual images built using the Proxmox provider do not disable the default credentials, and the nodes built using the resulting images may be accessible using default credentials.
As of now, there is no permanent fix to the issue, but it’s advised to disable the builder account on the affected virtual machines.
Users are also advised to rebuild their affected images using a fixed version of Image Builder and then redeploy them on a virtual machine.
Version 0.1.38 of the Kubernetes Image Builder additionally resolves a security issue (CVE-2024-9594, CVSS score: 6.3) related to default credentials in image builds created with the OVA, QEMU, Nutanix, or raw providers.
Image Builder is a tool used to build Kubernetes virtual machine images across various infrastructure providers. The VM images built using this are intended to be used specifically with Cluster API but can also be used for other setups that rely on Kubeadm.
