Headline
Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances. The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability. "A security issue
Vulnerability / Kubernetes
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process,” Red Hat’s Joel Smith said in an alert.
“Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.”
That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider.
As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs.
The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that’s set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process.
Kubernetes Image Builder version 0.1.38 also addresses a related issue (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are created using the Nutanix, OVA, QEMU or raw providers.
The lower severity for CVE-2024-9594 stems from the fact that the VMs using the images built using these providers are only affected “if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.”
The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure -
- CVE-2024-38139 (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
- CVE-2024-38204 (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network
- CVE-2024-38190 (CVSS score: 8.6) - Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector
It also follows the disclosure of a critical vulnerability in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could pave the way for an authentication bypass on susceptible instances.
“A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path,” a GitHub advisory for the flaw states. “This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.”
The issue, which affects Solr versions from 5.3.0 before 8.11.4, as well as from 9.0.0 before 9.7.0, have been remediated in versions 8.11.4 and 9.7.0, respectively.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
November Microsoft Patch Tuesday. 125 CVEs, 35 of which were added since October MSPT. 2 vulnerabilities with signs of exploitation in the wild: 🔻 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)🔻 Disclosure/Spoofing – NTLM Hash (CVE-2024-43451) No signs of exploitation, but with a private PoC of the exploit: 🔸 Remote Code Execution – Microsoft […]
Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.
Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.