[Security Advisory] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials

1,649 views
Skip to first unread message

Joel Smith

unread,
Oct 14, 2024, 11:24:35 AMOct 14
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io

Hello Kubernetes Community,


A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh to a node VM which uses a VM image built with the Kubernetes Image Builder project (https://github.com/kubernetes-sigs/image-builder).


For images built with the Proxmox provider, this issue has been rated Critical (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (9.8), and assigned CVE-2024-9486.


For images built with the Nutanix, OVA, QEMU or raw providers, this issue has been rated Medium (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (6.3), and assigned CVE-2024-9594.


Am I vulnerable?


Clusters using virtual machine images built with Kubernetes Image Builder (https://github.com/kubernetes-sigs/image-builder) version v0.1.37 or earlier are affected.


CVE-2024-9486: VMs using images built with the Proxmox provider are confirmed to be vulnerable.


CVE-2024-9594: VMs using images built with the Nutanix, OVA, QEMU or raw providers were vulnerable during the build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.


VMs using images built with all other providers are not affected.


To determine the version of Image Builder you are using, use one of the following methods:

* For git clones of the image builder repository:
    cd <local path to image builder repo>

    make version

* For installations using a tarball download:
    cd <local path to install location>

    grep -o v0\\.[0-9.]* RELEASE.md | head -1

* For a container image release:

    docker run --rm <image pull spec> version
  or
    podman run --rm <image pull spec> version

  or look at the image tag specified, in the case of an official image such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37


How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.


Prior to upgrading, this vulnerability can be mitigated by disabling the builder account on affected VMs:

usermod -L builder


Fixed Versions


Kubernetes Image Builder versions >= v0.1.38


Detection


The linux command "last builder" can be used to view logins to the affected "builder" account.


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io


Additional Details


See the GitHub issues for more details: 

https://github.com/kubernetes/kubernetes/issues/128006

https://github.com/kubernetes/kubernetes/issues/128007


Acknowledgements


This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.


The issue was fixed and coordinated by Marcus Noble of the Image Builder project.


Thank You,


Joel Smith on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages