www.belgium.be Logo of the federal government

WARNING: A FIX IS AVAILABLE FOR CVE-2024-9486, A RCE CRITICAL VULNERABILITY IN KUBERNETES IMAGEBUILDER! PATCH IMMEDIATELY!

Reference: 
Advisory #2024-242
Version: 
1.0
Affected software: 
Kubernetes ImageBuilder version v0.1.37 or earlier if built with the Proxmox provider
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-9486: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-9594: CVSS 6.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)

Sources

Kubernetes - https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

Risks

A critical severity vulnerability, CVE-2024-9486 was discovered in the Kubernetes Image Builder, a tool for building Kubernetes virtual machine (VM) images across multiple infrastructure providers.

Although this vulnerability has not yet been exploited in the wild, its severity (high impact on confidentiality, integrity, and availability) and ease of exploitation (no authentication required) create a high risk and require immediate patching.

Description

CVE-2024-9486 is a critical security issue (CVSS 9.8) discovered in Kubernetes where an unauthorized user may be able to ssh to a node VM which uses a VM image built with the Kubernetes Image Builder project.

VMs using images built with the Proxmox provider are confirmed vulnerable, using default credentials. These VMs do not disable the default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be then used to gain root access.

For VMs using images built with the Nutanix, OVA, QEMU or raw providers, this vulnerability has been rated Medium (6.3) and assigned CVE-2024-9594. In this case, the VMs are vulnerable during the build process and are affected only if an attacker was able to reach the VM where the image build was happening.

VMs using images built with all other providers are not affected. Both vulnerabilities affect the version v0.1.37 or earlier.

It is recommended to rebuild any affected images using the fixed version of Image Builder v0.1.38 and re-deploy the fixed images to any affected VMs.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Github:

Kubernetes:

Seclists: