October 16, 2024 at 12:59PM
A critical Kubernetes vulnerability, CVE-2024-9486, permits unauthorized SSH access to VM images built with the Image Builder project (version 0.1.37 or earlier) due to default credentials. Users are advised to upgrade to version 0.1.38 or temporarily disable the builder account. Similar issues exist for other providers, tracked as CVE-2024-9594.
### Meeting Takeaways on Kubernetes Vulnerabilities
1. **Critical Vulnerability Identified**:
– A critical vulnerability (CVE-2024-9486) in Kubernetes allows unauthorized SSH access to VMs built using the Kubernetes Image Builder with Proxmox (v0.1.37 or earlier).
– Default credentials are enabled during the image-building process and not disabled afterward, posing a security risk.
2. **Impact**:
– If exploited, a threat actor can connect via SSH using default credentials, gaining root access to compromised VMs.
3. **Recommended Solutions**:
– **Primary Solution**: Rebuild affected VM images using Kubernetes Image Builder version v0.1.38 or later, which incorporates the following security measures:
– Implements a randomly generated password during the build.
– Disables the default “builder” account post-process.
– **Temporary Solution**: If upgrading is not feasible, disable the builder account by executing the command:
`usermod -L builder`.
4. **Additional Vulnerabilities**:
– Another vulnerability (CVE-2024-9594) affects images built with Nutanix, OVA, QEMU, or raw providers but has a medium-severity rating due to the additional exploitation requirements.
– This issue also requires exploitation during the build process, necessitating access to the image-creating VM.
5. **Mitigation Recommendations**:
– The same fix and mitigation strategy apply for CVE-2024-9594 as with CVE-2024-9486.
– More details on mitigation steps and how to assess system vulnerability can be found on a designated GitHub page.
### Action Items:
– Review and assess current Kubernetes Image Builder usage to identify any affected VM images.
– Schedule rebuilding of images to use the updated version or implement temporary workarounds as necessary.
– Share updated security practices with the team to prevent future vulnerabilities.