Critical Kubernetes Image Builder credential vulnerability allows for virtual machine SSH access

A critical vulnerability in the Kubernetes Image Builder has been detected allowing threat actors to access different Virtual Machine (VM) images with ease. A patch is already available, so if you’re using the image building tool, make sure to update it to the latest version as soon as possible.

Kubernetes Image Builder is a tool that helps build and maintain container images for Kubernetes environments. It simplifies the building, packaging, and deployment of containerized applications by generating optimized and reproducible images ready for Kubernetes clusters.

However, when one builds a Kubernetes VM image, it comes with a set of default credentials, which are the same for every user. As a result, crooks can easily access virtual machines with root privileges.

Randomly generated password

According to The Register, VM images built with the Proxmox provider are most at risk. The flaw on this platform is tracked as CVE-2024-9486, and carries a severity rating of 9.8/10, meaning it’s critical. Image Builder version 0.1.37, or earlier, are flawed, and it is recommended users migrate to Image Builder v0.1.38, or later, as soon as possible.

In this version, every new image build will be given a randomly generated password, with the builder account being terminated at the end of the build process.

Users that end up upgrading Image Builder should also re-deploy new images to any affected VMs, the publication stressed.

Besides Proxmox, there are other providers who are at risk, too – including Nutanix, OVA, QEMU, and others: However, in these instances, the severity rating is 6.3, since they disable the default credentials at the end of the image build process, and thus give the threat actor a much smaller window of opportunity.

Those that are unable to apply the patch at the moment should disable the builder account and thus mitigate the risk.

Via The Register

AWS has patched a rather embarrassing Kubernetes bugHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now

Related posts

Elevated levels of ‘forever chemicals’ found in smartwatch bands – here’s what you need to know

Thousands of GPS tracking customers have info leaked following data breach

GitHub is making its AI programming Copilot free for VS Code developers

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More