CVE-2024-9486: VM images built with Image Builder and Proxmox provider use default credentials
First published: Mon Oct 14 2024(Updated: )
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/kubernetes-sigs/image-builder | <0.1.38 | 0.1.38 |
| Kubernetes Image Builder | <0.1.38 | |
| <0.1.38 |
Remedy
Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kubernetes/kubernetes/issues/128006
- https://github.com/kubernetes-sigs/image-builder/pull/1595
- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
- https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/
- https://www.theregister.com/2024/10/16/critical_kubernetes_image_builder_bug/
- https://nvd.nist.gov/vuln/detail/CVE-2024-9486
- https://github.com/advisories/GHSA-9224-ggvw-wh7v (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-9486?
CVE-2024-9486 has been assessed to have a medium severity due to the risk of default credentials being exploited.
How do I fix CVE-2024-9486?
To fix CVE-2024-9486, upgrade Kubernetes Image Builder to version 0.1.38 or later.
What are the affected versions of CVE-2024-9486?
CVE-2024-9486 affects Kubernetes Image Builder versions prior to 0.1.38.
What type of issue is CVE-2024-9486?
CVE-2024-9486 is a security vulnerability related to the use of default credentials during the image build process.
Which component is affected by CVE-2024-9486?
CVE-2024-9486 affects the Kubernetes Image Builder when using the Proxmox provider.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-9486
- alias/CVE-2024-9594
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/severity
- collector/bleeping-computer
- source/BleepingComputer
- collector/the-register
- source/The Register
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9224-ggvw-wh7v
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory
- agent/event
- agent/trending
- agent/tags
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/source
- vendor/kubernetes
- canonical/kubernetes image builder
- package-manager/go