A critical vulnerability in Kubernetes Image Builder has recently been patched with the latest release. The vulnerability stemmed from hard-coded credentials that allowed unauthorized access to malicious actors.
Kubernetes Image Builder Vulnerability
As per the latest security advisory, the Kubernetes Image Builder received patches for two security issues.
One of these, known as CVE-2024-9486, was caused by the presence of hard-coded credentials in the image-building process. These credentials remained active even in virtual machines (VMs) built with the Proxmox provider, leaving nodes vulnerable to unauthorized root access.
This vulnerability affected Kubernetes Image Builder versions v0.1.37 and earlier when used with the Proxmox provider. More details about this issue can be found on GitHub.
To address this vulnerability, Kubernetes advises users to rebuild images using the patched versions of Image Builder and deploy them to their VMs.
The severity of this vulnerability was rated as critical, with a CVSS score of 9.8. Security researcher Nicolai Rybnikar from Rybnikar Enterprises GmbH initially discovered the issue, and the Kubernetes project team promptly released a fix with Kubernetes Image Builder v0.1.38. Marcus Noble of the Image Builder project was credited for resolving the issue.
In addition to CVE-2024-9486, the same Image Builder release also fixed another security flaw identified as CVE-2024-9594. This medium-severity vulnerability (CVSS 6.3) is a similar issue to the one mentioned earlier, but with lower severity for images built with Nutanix, OVA, QEMU, or raw providers. Further details can be found on GitHub.
Users are strongly advised to update to Kubernetes Image Builder version 0.1.38 or later to ensure they receive all necessary patches and mitigate potential risks. If immediate updating is not feasible, the Kubernetes Team recommends disabling the builder account on affected VMs using the command: usermod -L builder.
We welcome your thoughts and feedback in the comments section below.
