Critical Kubernetes Image Builder credential vulnerability allows for virtual machine SSH access

Holographic representation of cloud computing over open businessman's hand
(Image credit: Shutterstock)

A critical vulnerability in the Kubernetes Image Builder has been detected allowing threat actors to access different Virtual Machine (VM) images with ease. A patch is already available, so if you’re using the image building tool, make sure to update it to the latest version as soon as possible.

Kubernetes Image Builder is a tool that helps build and maintain container images for Kubernetes environments. It simplifies the building, packaging, and deployment of containerized applications by generating optimized and reproducible images ready for Kubernetes clusters.

However, when one builds a Kubernetes VM image, it comes with a set of default credentials, which are the same for every user. As a result, crooks can easily access virtual machines with root privileges.

Randomly generated password

According to The Register, VM images built with the Proxmox provider are most at risk. The flaw on this platform is tracked as CVE-2024-9486, and carries a severity rating of 9.8/10, meaning it’s critical. Image Builder version 0.1.37, or earlier, are flawed, and it is recommended users migrate to Image Builder v0.1.38, or later, as soon as possible.

In this version, every new image build will be given a randomly generated password, with the builder account being terminated at the end of the build process.

Users that end up upgrading Image Builder should also re-deploy new images to any affected VMs, the publication stressed.

Besides Proxmox, there are other providers who are at risk, too - including Nutanix, OVA, QEMU, and others: However, in these instances, the severity rating is 6.3, since they disable the default credentials at the end of the image build process, and thus give the threat actor a much smaller window of opportunity.

Those that are unable to apply the patch at the moment should disable the builder account and thus mitigate the risk.

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
A person holding a virtual cloud in the palm of their hand.
Amazon EC2 instances could be under fire from whoAMI technique giving hackers code execution access
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Google Pixel Watch 3 side dial and button
Google Gemini reportedly spotted on Wear OS – could a rollout be close at hand?
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think