October 16, 2024 at 06:02PM
A critical bug in Kubernetes Image Builder (CVE-2024-9486) allows unauthorized SSH access to VMs due to default credentials. It poses the highest risk to Proxmox provider images, earning a CVSS of 9.8. Users should upgrade to Image Builder v0.1.38 or later to mitigate this vulnerability.
**Meeting Takeaways: Kubernetes Image Builder Vulnerability**
1. **Critical Bug Identified**: A significant vulnerability in Kubernetes Image Builder allows unauthorized SSH access to virtual machines (VMs) due to default credentials being active during the image build process.
2. **Affected Tool**: Image Builder is used for creating Kubernetes VM images across various infrastructure providers. The defect primarily occurs in images containing default credentials enabling root access.
3. **Risk Level**:
– Highest risk associated with VM images built using the **Proxmox provider**, rated **9.8/10** on the CVSS severity scale (CVE-2024-9486).
– Images built with **Nutanix, OVA, QEMU, or raw providers** are also affected but rated **6.3/10** under CVE-2024-9594.
4. **Exploitation Details**:
– CVE-2024-9594 allows exploitation only during the image build process for Nutanix, OVA, and QEMU due to their method of handling default credentials.
– Successful exploitation requires access to the VM during the image building.
5. **Recommended Action**:
– **Upgrade to Image Builder v0.1.38 or later**: This new version generates a random password during builds and disables the builder account post-build.
– After upgrading, redeploy new images to affected VMs.
6. **Temporary Mitigation**: Users should disable the builder account as a short-term workaround before upgrading to a fixed version.
7. **Bug Report**: The vulnerability was identified and reported by Nicolai Rybnikar from Rybnikar Enterprises.
Ensure to follow up on the upgrade and mitigation steps to secure systems effectively against this vulnerability.