Critical vulnerability reported in Kubernetes Image Builder

A critical vulnerability has been discovered in Kubernetes Image Builder, potentially allowing unauthorized SSH access to virtual machines (VMs) built with specific versions of the tool. This flaw, tracked as CVE-2024-9486 (CVSS score 9.8), affects images built using the Proxmox provider and has been added to the Known Exploited Vulnerabilities (KEV) catalog.

Vulnerabilities summary

• CVE-2024-9486 (CVSS score 9.8) - Hardcoded default credentials during the image-building process are not disabled afterward. This allows remote, unauthenticated attackers to SSH into vulnerable VMs and gain root access. VMs built with Kubernetes Image Builder version v0.1.37 or earlier using the Proxmox provider are affected.

• CVE-2024-9594 (CVSS score 6.3) - similar to CVE-2024-9486, but with additional requirements for exploitation. The vulnerability only affects the image during the build process, requiring an attacker to have access to the VM used for image creation. Affected systems are images built using Nutanix, OVA, QEMU, or raw providers.

Administrators are advised to upgrade to Kubernetes Image Builder version v0.1.38 or later, which introduces randomly generated passwords during the build process and disables the default “builder” account.

You are vulnerable if:

• You are using Kubernetes Image Builder v0.1.37 or earlier.
• Your VMs are built with the Proxmox provider (critical vulnerability) or Nutanix, OVA, QEMU, or raw providers (medium vulnerability).

To check your version, you can use one of the following methods:

• For git clones: make version
• For installations via tarball: grep -o v0\.[0-9.]* RELEASE.md | head -1
• For container image releases: docker run --rm version or podman run --rm version

Mitigation:

1. Upgrade: The best solution is to rebuild your VM images using Kubernetes Image Builder v0.1.38 or later.
2. Temporary Fix: If upgrading is not immediately possible, disable the builder account using the command:

   usermod -L builder