CVE-2024-9594: VM images built with Image Builder with some providers use default credentials during builds
First published: Mon Oct 14 2024(Updated: )
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/kubernetes-sigs/image-builder | <0.1.38 | 0.1.38 |
| Kubernetes Image Builder | <0.1.38 | |
| <0.1.38 |
Remedy
Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kubernetes/kubernetes/issues/128007
- https://github.com/kubernetes-sigs/image-builder/pull/1596
- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
- https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/
- https://www.theregister.com/2024/10/16/critical_kubernetes_image_builder_bug/
- https://nvd.nist.gov/vuln/detail/CVE-2024-9594
- https://github.com/advisories/GHSA-8jpg-62jc-hwhr (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-9594?
CVE-2024-9594 has a high severity due to the potential for root access using default credentials.
How do I fix CVE-2024-9594?
To fix CVE-2024-9594, upgrade to Kubernetes Image Builder version 0.1.38 or later.
Which versions of Kubernetes Image Builder are affected by CVE-2024-9594?
Kubernetes Image Builder versions up to and including 0.1.37 are affected by CVE-2024-9594.
What impact does CVE-2024-9594 have on system security?
CVE-2024-9594 could allow unauthorized users to gain root access, compromising system security.
Is there a way to mitigate CVE-2024-9594 without upgrading?
Mitigating CVE-2024-9594 without upgrading may involve manually disabling default credentials, though upgrading is strongly recommended.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-9486
- alias/CVE-2024-9594
- agent/first-publish-date
- agent/description
- agent/type
- agent/weakness
- agent/title
- collector/bleeping-computer
- source/BleepingComputer
- collector/the-register
- source/The Register
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8jpg-62jc-hwhr
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory
- agent/event
- agent/trending
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- vendor/kubernetes
- canonical/kubernetes image builder
- package-manager/go