in Share Stories & News

Critical default credential bug in Kubernetes Image Builder allows SSH root access

162 Views

Critical default credential bug in Kubernetes Image Builder allows SSH root access

A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) thanks to default credentials being enabled during the image build process.

Image Builder is a tool used to build Kubernetes VM images across multiple infrastructure providers. Images it creates include default credentials, which can be used to gain root access to VMs.

The vulnerability means VM images built with the Proxmox provider are most at risk.

This flaw is tracked as CVE-2024-9486, it earned a 9.8 out of 10 CVSS severity rating, and it affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.

The issue also affects images built with Nutanix, OVA, QEMU or raw providers, but in these instances is rated 6.3 on the ten-point CVSS rating scale under a separate CVE tracker: CVE-2024-9594.

This bug can still be abused to gain root access. However, Nutanix, OVA, and QEMU disable the default credentials at the end of the image build process. This gives an attacker a much smaller window during which to exploit CVE-2024-9594 – it can only happen during the build process.

Patch now: Critical Nvidia bug allows container escape, complete host takeover

SolarWinds critical hardcoded credential bug under active exploit

Thousands of Fortinet instances vulnerable to actively exploited flaw

US and UK govts warn: Russia scanning for your unpatched vulnerabilities

Successful exploitation of CVE-2024-9594 would require the attacker “to reach the VM where the image build was happening and use the vulnerability to modify the image at the time the image build was occurring,” Red Hat’s Joel Smith explained.

To fix the flaw, upgrade to Image Builder v0.1.38 or later. This version sets a randomly generated password for the duration of the image build, and then disables the builder account at the end of the build process.

After upgrading to a fixed version of Image Builder, users should re-deploy new images to any affected VMs.

Or, prior to upgrading and as a temporary workaround, users can mitigate the flaw by disabling the builder account.

Rybnikar Enterprises’ Nicolai Rybnikar found and reported the bug. ®

Report

What do you think?

0 Points
Upvote Downvote

Browse and manage your votes from your Member Profile Page

Newbie

Written by Mr Viral

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Volkswagen monitoring data dump threat from 8Base ransomware crew

Volkswagen monitoring data dump threat from 8Base ransomware crew
Intel lets go of 2,000 staff at Oregon R&D site, offices in Texas, Arizona, California

Intel lets go of 2,000 staff at Oregon R&D site, offices in Texas, Arizona, California