Critical default credential bug in Kubernetes Image Builder allows SSH root access

It's called leaving the door wide open – especially in Proxmox

A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) thanks to default credentials being enabled during the image build process.

Image Builder is a tool used to build Kubernetes VM images across multiple infrastructure providers. Images it creates include default credentials, which can be used to gain root access to VMs.

The vulnerability means VM images built with the Proxmox provider are most at risk.

This flaw is tracked as CVE-2024-9486, it earned a 9.8 out of 10 CVSS severity rating, and it affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.

The issue also affects images built with Nutanix, OVA, QEMU or raw providers, but in these instances is rated 6.3 on the ten-point CVSS rating scale under a separate CVE tracker: CVE-2024-9594.

This bug can still be abused to gain root access. However, Nutanix, OVA, and QEMU disable the default credentials at the end of the image build process. This gives an attacker a much smaller window during which to exploit CVE-2024-9594 – it can only happen during the build process.

Successful exploitation of CVE-2024-9594 would require the attacker "to reach the VM where the image build was happening and use the vulnerability to modify the image at the time the image build was occurring," Red Hat's Joel Smith explained.

To fix the flaw, upgrade to Image Builder v0.1.38 or later. This version sets a randomly generated password for the duration of the image build, and then disables the builder account at the end of the build process.

After upgrading to a fixed version of Image Builder, users should re-deploy new images to any affected VMs.

Or, prior to upgrading and as a temporary workaround, users can mitigate the flaw by disabling the builder account.

Rybnikar Enterprises' Nicolai Rybnikar found and reported the bug. ®