CVE-2024-9486 (CVSS 9.8): Kubernetes Image Builder Flaw Exposes VMs to Root Access
The Kubernetes Security Response Committee has disclosed two security vulnerabilities (CVE-2024-9486 and CVE-2024-9594) in the Kubernetes Image Builder that could allow attackers to gain root access to virtual machines (VMs). The vulnerabilities stem from the use of default credentials during the image build process.
CVE-2024-9486: Proxmox Provider Poses Highest Risk
The more severe vulnerability, CVE-2024-9486 (CVSS 9.8), specifically impacts images built with the Proxmox provider. “Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials,” warns the security advisory. This means attackers could exploit these credentials to gain complete control of the affected VMs.
CVE-2024-9594: Other Providers Also Affected
CVE-2024-9594 (CVSS 6.3) affects images built with the Nutanix, OVA, QEMU, or raw providers. While these images also utilize default credentials during the build process, the credentials are disabled upon completion. However, “These images were vulnerable during the image build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring,” clarifies the advisory.
Am I Vulnerable?
Clusters running VM images built with Kubernetes Image Builder v0.1.37 or earlier and any of the mentioned providers are potentially at risk. To check your Image Builder version, you can use the commands provided in the security advisory, such as make version for git clones or docker run –rm <image pull spec> version for container image releases.
Mitigating the Threat
The Kubernetes Security Response Committee urges users to rebuild any affected images using Image Builder v0.1.38 or later, which includes the necessary fixes. For CVE-2024-9486, a temporary mitigation involves disabling the “builder” account on affected VMs with the command usermod -L builder.
