CVE-2024-9486
published 2024-10-15CVE-2024-9486: A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.22%
80.5th percentile
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kubernetes-sigs_image-builder | >= 0 < 0.1.38 | 0.1.38 |
| kubernetes-sigs | image_builder | < 0.1.38 | 0.1.38 |
| kubernetes | image_builder | <= 0.1.37 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for SSH login attempts using the default 'builder' account on Kubernetes nodes built with Image Builder <= v0.1.37 using the Proxmox provider ↗
- →Audit for the existence and enabled state of the 'builder' user account on VM nodes; an enabled 'builder' account on a production node is a strong indicator of exposure ↗
- →Identify Kubernetes nodes running VM images built with Kubernetes Image Builder <= v0.1.37 via the Proxmox provider, as these retain default credentials post-build ↗
- ·Only VM images built with the Proxmox provider are critically affected (CVSS critical); images built with Nutanix, OVA, QEMU, or raw providers are also affected but rated medium severity (tracked as CVE-2024-9594) due to requiring attacker access to the image-building VM during the build process ↗
- ·Red Hat products are not affected as the impacted component is not shipped in the Red Hat Product Portfolio ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
osv·2024-10-17
CVE-2024-9486 VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
OSV
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
osv·2024-10-15
CVE-2024-9486 [CRITICAL] VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
OSV
CVE-2024-9486: A security issue was discovered in the Kubernetes Image Builder versions <= v0
osv·2024-10-15·CVSS 9.8
CVE-2024-9486 [CRITICAL] CVE-2024-9486: A security issue was discovered in the Kubernetes Image Builder versions <= v0
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
GHSA
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
ghsa·2024-10-15
CVE-2024-9486 [CRITICAL] CWE-798 VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
Red Hat
kubernetes-image-builder: VM images built with Kubernetes Image Builder use default credentials
vendor_redhat·2024-10-16·CVSS 9.8
CVE-2024-9486 [CRITICAL] CWE-1392 kubernetes-image-builder: VM images built with Kubernetes Image Builder use default credentials
kubernetes-image-builder: VM images built with Kubernetes Image Builder use default credentials
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
A vulnerability was found in Kubernetes Image Builder. Kubernetes Image Builder default credentials are enabled during the image build process when using Proxmox. The credentials can
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Bleepingcomputer
Critical Kubernetes Image Builder flaw gives SSH root access to VMs
blogs_bleepingcomputer·2024-10-16·CVSS 9.8
CVE-2024-9486 [CRITICAL] Critical Kubernetes Image Builder flaw gives SSH root access to VMs
## Critical Kubernetes Image Builder flaw gives SSH root access to VMs
## Bill Toulas
According to a security advisory on the Kubernetes community forums, the critical vulnerability affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.
The issue is currently tracked as CVE-2024-9486 and consists in the use of default credentials enabled during the image-building process and not disabled afterward.
A threat actor knowing this could connect over a SSH connection and use these credentials to gain access with root privileges to vulnerable VMs.
The solution is to rebuild affected VM images using Kubernetes Image Builder version v0.1.38 or later, which sets a randomly generated password during the build process, and also disables the default “builder”
2024-10-15
Published