The Kubernetes Security Response Committee has disclosed two security vulnerabilities in the Kubernetes Image Builder that could allow attackers to gain root access to virtual machines. The vulnerabilities stem from the use of default credentials during the image build process.
The critical vulnerability, CVE-2024-9486, with a CVSS score of 9.8, specifically impacts images built with the Proxmox provider. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. This means attackers could exploit these credentials to gain complete control of the affected VMs.
The second vulnerability tracked as CVE-2024-9594 with a CVSS score of 6.3 affects images built with the Nutanix, OVA, QEMU, or raw providers. While these images also utilize default credentials during the build process, the credentials are disabled upon completion. These images were vulnerable during the image build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
Clusters running VM images built with Kubernetes Image Builder v0.1.37 or earlier and any of the mentioned providers are potentially at risk.
Users are urged to rebuild any affected images using Image Builder v0.1.38 or later, which includes the necessary fixes. For CVE-2024-9486, a temporary mitigation involves disabling the “builder” account on affected VMs with the command usermod -L builder.
