Summary

Recently released were two vulnerabilities, CVE-2024-9486 (CVSS 9.8) and CVE-2024-9594 (CVSS 6.3), that impact the Kubernetes Image Builder. The vulnerabilities can be utilized to gain root access to Kubernetes nodes given the proper circumstances. Certain image build providers did not disable default administrative credentials after the build process, allowing potential attackers root access to nodes after deployment in some cases. The vulnerabilities are resolved with Image Builder version v0.1.38; rebuilding and redeploying of impacted images is advised.

Affected Systems and/or Application

The vulnerabilities impact all versions of Image Builder up to and including Image Builder v0.1.37 when providers Proxmox (most severe), Nutanix, OVA, QEMU, and/or raw are utilized.

Technical Details / Attack Overview

CVE-2024-9486:

This vulnerability is for the specific combination of an impacted Image Builder version, alongside the use of the Proxmox provider. In this scenario default credentials are enabled during the build process and are not properly disabled after build completion. That allows for the nodes using the images to be accessible with the credentials, which can be used for root access. This is resolved in v0.1.38 by the creation of randomly generated passwords only functional during the building of the image. It is confirmed that the builder account is then disabled upon completion of the image build.

CVE-2024-9594:

This vulnerability is similar in nature to CVE-2024-9486 with some variances. This vulnerability focuses on the usage of Nutanix, OVA, QEMU, and raw providers. More importantly, this vulnerability is only exploitable during the image deployment cycle, rather than allowing for access after the image build is completed. That results in the lower CVSS score assigned to it.

Recommendations

The CFC recommends taking the following actions where possible:

• Disable the builder account on impacted VMs to mitigate before rebuilds occur.
• Rebuild any images that may be affected, ensuring the use of a fixed version of Image Builder (v0.1.38). Afterwards deploy fixed images to any VMs that were impacted.

What is the CFC doing?

Kudelski Security has not observed or received indicators of active exploitation of these flaws. The CFC will continue to monitor the situation and send an advisory update as more information becomes available.

References

• https://thehackernews.com/2024/10/critical-kubernetes-image-builder.html
• https://github.com/kubernetes/kubernetes/issues/128006
• https://github.com/kubernetes/kubernetes/issues/128007