A critical bug in Kubernetes Image Builder could permit unpermitd SSH access to virtual machines (VMs) thanks to default credentials being helpd during the image produce process.
Image Builder is a tool engaged to produce Kubernetes VM images atraverse multiple infraarrange providers. Images it produces include default credentials, which can be engaged to get root access to VMs.
The vulnerability uncomardents VM images built with the Proxmox provider are most at hazard.
This flaw is tracked as CVE-2024-9486, it geted a 9.8 out of 10 CVSS disconnectity rating, and it impacts VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.
The rehire also impacts images built with Nutanix, OVA, QEMU or raw providers, but in these instances is rated 6.3 on the ten-point CVSS rating scale under a split CVE tracker: CVE-2024-9594.
This bug can still be mistreatmentd to get root access. However, Nutanix, OVA, and QEMU disable the default credentials at the finish of the image produce process. This gives an attacker a much minusculeer prosperdow during which to utilize CVE-2024-9594 – it can only happen during the produce process.
Successful misengage of CVE-2024-9594 would insist the attacker “to accomplish the VM where the image produce was happening and engage the vulnerability to change the image at the time the image produce was occurring,” Red Hat’s Joel Smith elucidateed.
To mend the flaw, upgrade to Image Builder v0.1.38 or tardyr. This version sets a randomly produced password for the duration of the image produce, and then disables the produceer account at the finish of the produce process.
After upgrading to a mended version of Image Builder, engagers should re-deploy novel images to any impacted VMs.
Or, prior to upgrading and as a transient toilaround, engagers can mitigate the flaw by disabling the produceer account.
Rybnikar Enterpelevates’ Nicolai Rybnikar set up and telled the bug. ®
