Critical Kubernetes Image Builder credential vulnerability allows for virtual machine SSH access

News
By published

Another case of hardcoded credentials vulnerability

Holographic representation of cloud computing over open businessman's hand
(Image credit: Shutterstock)

A critical vulnerability in the Kubernetes Image Builder has been detected allowing threat actors to access different Virtual Machine (VM) images with ease. A patch is already available, so if you’re using the image building tool, make sure to update it to the latest version as soon as possible.

Kubernetes Image Builder is a tool that helps build and maintain container images for Kubernetes environments. It simplifies the building, packaging, and deployment of containerized applications by generating optimized and reproducible images ready for Kubernetes clusters.

However, when one builds a Kubernetes VM image, it comes with a set of default credentials, which are the same for every user. As a result, crooks can easily access virtual machines with root privileges.

Randomly generated password

According to The Register, VM images built with the Proxmox provider are most at risk. The flaw on this platform is tracked as CVE-2024-9486, and carries a severity rating of 9.8/10, meaning it’s critical. Image Builder version 0.1.37, or earlier, are flawed, and it is recommended users migrate to Image Builder v0.1.38, or later, as soon as possible.

In this version, every new image build will be given a randomly generated password, with the builder account being terminated at the end of the build process.

Users that end up upgrading Image Builder should also re-deploy new images to any affected VMs, the publication stressed.

Besides Proxmox, there are other providers who are at risk, too - including Nutanix, OVA, QEMU, and others: However, in these instances, the severity rating is 6.3, since they disable the default credentials at the end of the image build process, and thus give the threat actor a much smaller window of opportunity.

Those that are unable to apply the patch at the moment should disable the builder account and thus mitigate the risk.

Via The Register

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.