Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process,” Red Hat’s Joel Smith said in an alert.
“Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.”
That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider.
As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs.
The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that’s set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process.
Kubernetes Image Builder version 0.1.38 also addresses a related issue (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are created using the Nutanix, OVA, QEMU or raw providers.
The lower severity for CVE-2024-9594 stems from the fact that the VMs using the images built using these providers are only affected “if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.”
The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure –
- CVE-2024-38139 (CVSS score: 8.7) – Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
- CVE-2024-38204 (CVSS score: 7.5) – Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network
- CVE-2024-38190 (CVSS score: 8.6) – Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector
It also follows the disclosure of a critical vulnerability in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could pave the way for an authentication bypass on susceptible instances.
“A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path,” a GitHub advisory for the flaw states. “This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.”
The issue, which affects Solr versions from 5.3.0 before 8.11.4, as well as from 9.0.0 before 9.7.0, have been remediated in versions 8.11.4 and 9.7.0, respectively.